from User to Administrator

[droby10]

let's think about this for a minute...there are a number of well known and even more lesser known ways to accomplish what grazianol has requested. by not discussing them, here and everywhere else, we are allowing those vulnerabilities to either a) go unpatched by the vendor or b) go unpatched by the subset of administrators who are perpetually uninformed and 2 days (if not 2 months) behind.

i've had several pm's with a number of members who <quote>didn't know they had their pants down</quote> but are now thankful that such information was shared so that they could provide a more stable/accountable environment. i guess my issue is that if we're not here to discuss security issues - what is the point? to bash around jokes...? post external news articles...?

and i understand the point that grazianol, being new to AO and asking the typical 'catch-all' script-kiddie type question, the information doesn't seem to serve him well...but who else reading might _benefit_ from the dissemination of such information?

information is neither good nor bad - that's the result of human action...and while i sympathize with the conscienceness to avoid giving information to those who indicate the intention to act poorly with it...from my own perspective to withhold information only keeps others in the dark longer - and we can't act for grazianol, it's a decision he'll have to make for himself - but hell, i'd at least give him the opportunity to make that choice - and possibly help inform other's so that by the time he makes a choice, and if chosen poorly, then it's a null issue. grazianol then has time to rethink his actions and possibly come to a different conclusion.

and i know that i'm the 'exception' to the 'rule' in this forum with regard to this attitude - so i don't expect anyone to agree with me; and i'm okay with that...just voiceing my own ops.

[Joey_Batch_File]

Originally posted here by droby10
information is neither good nor bad - that's the result of human action...and while i sympathize with the conscienceness to avoid giving information to those who indicate the intention to act poorly with it...from my own perspective to withhold information only keeps others in the dark longer

I agree Droby... HOWEVER, I'm sure JP wants to keep his site holding acceptable information, and we are hear to relay the information in an appropriate manner. It is okay to discuss the situation as "How you can prevent a script kiddie from doing or a cracker from cracking". However, to tell someone how to gain unauthorized access to a company machine is wrong. Why do you think 2600 meetings are always being harrassed. They put the information out there without counter measures. We don't look at you and say you shouldn't post "To avoid a script kiddie or cracker from accessing Admin privledges by...........", but to say... Oh, Yeah. That is easy. Use ......... to crack the admin password, set yourself up with local permission, and erase your tracks. That is just asking for people to get into trouble. I don't know if you feel the same way as I do, but it is all in how the information is presented. If a script kiddie takes the information from in a how to avoid, and uses it on a system then. Atleast we didn't directly tell him how to do it. He just took advantage of an exploit.....

[DjM]

Originally posted here by droby10
let's think about this for a minute...there are a number of well known and even more lesser known ways to accomplish what grazianol has requested. by not discussing them, here and everywhere else, we are allowing those vulnerabilities to either a) go unpatched by the vendor or b) go unpatched by the subset of administrators who are perpetually uninformed and 2 days (if not 2 months) behind.

i've had several pm's with a number of members who <quote>didn't know they had their pants down</quote> but are now thankful that such information was shared so that they could provide a more stable/accountable environment. i guess my issue is that if we're not here to discuss security issues - what is the point? to bash around jokes...? post external news articles...?

and i understand the point that grazianol, being new to AO and asking the typical 'catch-all' script-kiddie type question, the information doesn't seem to serve him well...but who else reading might _benefit_ from the dissemination of such information?

information is neither good nor bad - that's the result of human action...and while i sympathize with the conscienceness to avoid giving information to those who indicate the intention to act poorly with it...from my own perspective to withhold information only keeps others in the dark longer - and we can't act for grazianol, it's a decision he'll have to make for himself - but hell, i'd at least give him the opportunity to make that choice - and possibly help inform other's so that by the time he makes a choice, and if chosen poorly, then it's a null issue. grazianol then has time to rethink his actions and possibly come to a different conclusion.

and i know that i'm the 'exception' to the 'rule' in this forum with regard to this attitude - so i don't expect anyone to agree with me; and i'm okay with that...just voiceing my own ops.

dorby10, you pose an interesting point, however, in an 'open' community such as AO, it is very difficult to tell if you are dealing with a Security Professional or a script kiddy (no offence grazianol). Open discussion between two security professionals about such topics is likely a good thing, however, open discussion between a security professional and a script kiddy or cracker, I believe, would be a negative thing which could result in damage to systems and even companies. Until I get to know a person in the AO community, I prefer to keep any answers to, 'what is the correct way to get the access', not 'what is the illegal way'.


Cheers:

[Joey_Batch_File]

Originally posted here by DjM
Until I get to know a person in the AO community, I prefer to keep any answers to, 'what is the correct way to get the access', not 'what is the illegal way'.

I tried to make a point in my above post in regards to this issue. I believe it is okay to bring up a discussion on counter measures in regards to a possibility of a ScriptKiddie or Cracker performing XXXX activity. In that case if a Kiddie/Cracker read the article and used it on a vulnerable system, the fact is we are as responcible for sharing that information as much as security focus is responcible for posting exploiits. However, I disagree in giving that information out in an answer that posts a question how can I get admin privledges on an unauthorized box. In a situation like this, we as professionals, and resources of the information security realm should set this individuals on the correct path, and guide them through the appropriate way of going about the discussed process. This allows for the sharing of both types of information in a responcible and professional way that everyone could agree with...

[droby10]

thanks guys, i really do appreciate the willingness to listen and offer feedback; as i'm just trying to introduce some differing ideas. i have always endorsed the point of fully covering the topic from both angles. and the ability or requirement to trust someone before handing the goods over is definately a positive quality to have; i've just never had it (either because i trust everyone or trust no-one leaving me indifferent...i haven't figured it out yet).

[cheesegoduk]

Yeap I agree with doing it the good way, breaking in it would be a waste of time, because you would get found out and removed.

[DBEAUCHAMP]

As a SysAdmin, I'm happy to see that people from the AO community take their responsabilities to help sysadmin keep their little secrets.

I agree not to give those secrets to anyone asking directly: "How do I get access to that, 'cos my admin don't wanna...?".

On the other side, the best security adviser in the world must be one of the best hacker at the same time. I just hope that this Wiz out there is the type of hacker that will find the security holes on its own computer.

If you wanna learn, create your self a lab or use your own computer with internet access. If you need to learn stuff for work, I'm sure your administrator with help you get the necessary priviledges to do your job.

If none of the above, then live with the fact that when you get to other peoples world, you have to live by their laws !