crazylazy.info

txt

nowadays with "Agent Smith sunglasses" and TFT

We don't teach you...

I recently joined a channel on Freenode IRC and asked where to find some documentation for a special Metasploit auxiliary module, that was very new in the SVN repro. hdm sometimes is lurking around, people there normally are very friendly and helpful. It turned out not to be that typical day: "We don't teach you how to hack [...] use Google" - But we use your exploits?!

Fine ;). I can live with that, but that's out of the question. The more interesting question has to be whether sharing "secretive" information just in an elite circle helps to better the situation. And I'm very sure it doesn't. Especially if we keep in mind that even a huge number of professional "pentesters" is too accustomed to automated tools - and doesn't even know manual scanning. My opinion is: We have to change our attitude in order to keep up.

If you're an old-hand and spent your days with geeky people you're able to trigger their friendly sides. But if not, doors stay closed. That has got no future.

Subversive teachings

The main impulse behind secretive sharing is some kind of prestige many people fear to lose.

Being a hacker means to share a collective spirit, that also consists of specific knowledge. Often this knowledge has subversive tendencies and comes with abuse-able powers. Irresponsible use of certain techniques led to problems. So does keeping the stuff secret: too many programmers don't know about secure coding standards or why they are important because it has never been shown to them. Exploit development and the techniques to discover vulnerabilities are open nowadays. There's good literature, but the pragmatic background is missing concrete examples.

Not everybody shares the same will to explore the depths of computer technology. There's the cursorily .Net developer and his friend, the suit-wearing SAP consultant. As long as the knowledge stays underground those computer folks have no reason to care for IT security. They will never dive into the scene. And that's not bad - as long as disclosure follows certain rules. Thing is it doesn't.

Welcome to the dark side of software engineering

Certainly security, speaking of integrity, availability and so on, is something to expect of every product. To get this, you have to go through the process of securing: software testing. Expensive - so management overnight decides: "He, it's ready dudes." I call this a new era of software-crisis. Management calls this "deadline" or "more efficient". Now you could try to refer to very expensive security problems in code. And you meet your fried again. Mr. DotNet. How to reach him? Show him the low-level C exploit code. If you're friendly you can decode the Shellcode before you make your stand.

- The problem remains unsolvable as long as the knowledge isn't out there - everywhere. "No more free bugs" - yes. I don't want to get sued, too. So let the vendors dance for me. But according to what I see they ignore you as long as they can. The only solution for this crisis is teaching how to hack. Some universities already do that. Well known universities like Harvard or Stanford call this "Ethical Hacking" while picking up the good old hacker-ethics. And that's the only way: make the knowledge free. And get open. You have to teach the people how to hack, because computer changed the world. Now it's time for us to change with it.

Have fun,
wishi