Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Security hole exploiting and AO

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    472

    Security hole exploiting and AO

    Latley there has been posted a few tutorials explaining how to exploit certain security holes in software and web-sites.

    I wonder if AO's members by doing this are helping crackers, making it easier for them to do a successful crack. Perhaps it may be wise to leave out some details, so the tutorial actually wont work the way it's written, but only explains the security hole. Or should all juicy details be included?

    May I have your opinion, ladies and gentlemen?
    ---
    proactive

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    I think it sucks, i have to laugh tho, half of the tuts are so badly written its hilarious - its just lamers trying to show other lamers how to be lame.

  3. #3
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    I'm thinking if someone writes a 'tutorial' it should be reviewed and cleared (if it's not already, I haven't written anything) by someone on the AO staff, much like the user accounts are. This way, if you write something and it's a "how to hack (name here)", there's a good chance it won't be allowed in, or maybe the reviewer could remove the "here's how to break this" part and keep only the problem part. I don't condone the writing of a how-to-hack tutorial/etc but if it gets an unknown problem out in the open, workarounds can be done. I'd be MUCH more impressed if the person wrote a tutorial on something, said how they broke it, and then said how you can *fix* the problem. THAT would be good. But then again, people trying to learn how to "hack" don't seem to understand that point.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  4. #4
    I've noticed a lot of talk about lamers and stuff lately. I don't ask questions just for the fun of reading the replies. I am a college student (NetSysEng) and I am still somewhat of a newbie to security issues. I ask what I need to know; nothing more. I'm not afraid to read the material Ennis or Focmaester or petemcevoy says I should. Not all of us are here for the wrong reasons fellas.
    We Know Who You Are.....

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Security hole exploiting and AO

    Originally posted by proactive
    Latley there has been posted a few tutorials explaining how to exploit certain security holes in software and web-sites.

    I wonder if AO's members by doing this are helping crackers, making it easier for them to do a successful crack. Perhaps it may be wise to leave out some details, so the tutorial actually wont work the way it's written, but only explains the security hole. Or should all juicy details be included?

    May I have your opinion, ladies and gentlemen?
    Well, the problem here is that the door DOES swing both ways. I can see it could cause problems if crackers are able to use the information for their own benefit, but also think that posting the juicy details could help a programmer shape up his or her code, or a SysAdmin lock down his or her network.

    As long as there are some people benefiting for the good, then I have no problems with having exploits detailed.

    I understand though, that in the context of a tutorial, it might be better to write tutorials from the standpoint of 'this is how to prevent these exploits from working', etc..

    Personally, I think posting code that is entirely malicious is way over the line. AntiOnline bills itself as a site that is geared towards helping people understand how to protect themselves from crackers, yet it's allowable for malicious code to be posted in the forums with no recourse?

    To me, that's only promoting script-kiddies. It's tantamount to saying "Here's a script that will hack hotmail for you. Download it and run it!"
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post

    proactive, seeing as how this is a security site, it is necesary that we hear about in detail the exploits available for our computer systems so that we can properly protect against these problems. A good example is the thread of hacking cgi-bins. This is a place where many often times leave password files that cant be protected. By displaying what crackers would do to exploit our systems, we can fix them so that they are more secure, and test the systems using the exploit to be sure that it doesnt have these holes. I believe that most of the exploits posted here have been available for quite some time, and even if not posted here, they could be found using web searches. I am all for full disclosure concerning security threats so that the problem could be fixed as soon as possible.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post exploiting security holes?

    sorry
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  8. #8

    Agree

    I agree 100% with ThePreacher.Full disclosure and discussion (and solutions) is the basis of the open source community that we know and love.

    Pete is also right


    I think it sucks, i have to laugh tho, half of the tuts are so badly written its hilarious - its just lamers trying to show other lamers how to be lame.

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    Hillbilly75 & thepreacher -- I don't think you fully understood my post, i never mentioned any names but i'm pretty sure anything that ennis or focmaester post is pretty useful. A lot (say, half) of the tutorials are an excellent source of information, however, tutorials telling people how to map windows file/print shares or get someones ip when using instant messaging are a pile scwipt kiddie ****, don't try to tell me these are to give people a greater understanding of security risks, they're just step by step instructions for lameness.

  10. #10
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542

    Thumbs up Re: petemcevoy

    petemcevoy could be right

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •