August 9th, 2002, 11:52 PM
Free Hackers Manifest
Originally posted here.
First discovered on NTbugtraq.
|=--------------------=[ Judgment Day ]=------------------------=|
|=---------------=[ Free Hackers Manifest ]=--------------------=|
Free Hackers versus "Ethical-Corporate-Hackers"
In respect with the spirit of the manifest Authors will remain forever anonymous. The manifest is offered to the community under the Free Documentation License (FDL) [http://www.gnu.org/copyleft/fdl.html].
0 - Facts
1 - Accused, to whom the crime profits
1.1 - Software Vendors
1.2 - Security Service Firms
1.3 - Fallacious "hackers"
2 - Defendants, the rights at stake
2.1 - User Land, hear my cry
2.2 - Hacker Space, free as in freedom
3 - Indictment
4 - Verdict
5 - Reference
--[0 - Facts
Some will share, others will keep gems to themselves.
We are judge to none.
Today some wish to force the ones that shares, not to, for it depreciate the value of greed.
We will defend freedom, and fight to preserve the open-space, that air we breath.
-What happened ?-
Once upon a time many of those "Chief Technologists/Hacking Officers" of the flourishing security industry were just a bunch of young pranksters eager for technology.
And the pranksters collected into groups lurking on some computing specifics: hacking. Many good things arose from those groups, sweets for the brain.
And the groups got respect, for their findings came atop a pyramid of knowledge that every one helped build. Recognition by peers, ultimately being called a "hacker", was the highest retribution.
And the kids went to high school to get an MBA, get a car, get a job, get money, try to make an aggressive buy-up on that pyramid, trade it for a buck. In the same course raise of communication and Internet growth had Corporations began to fear those strange pizza-cola eaters: The corporate knowledge, they
called "trade secrets", they did not want to trade with hackers - at all.
Secret service has a saying: "kiss the hand you couldn't cut", and so corporations cunningly inflated pizzas with money, and some "old school-full disclosure-non profit hackers" turned to security firms belly dancing with software vendors.
Some started regulating with "disclosure policies"  , their publishing of knowledge. Not yet "Non-Disclosure Agreements" though, but a step forward into the semantics. And called it "ethic" ... toward whom ?
-The unthinkable happened-
In a more radical move a bunch tried to -how funny- hack IETF and push for a generic disclosure policy . Can you see that -how strange- Microsoft's employee in the " Aknowledgement " section of the document ? All bullets for the underground, all benefits for the corporate. No commitments to the people.
Thankfully IETF reacted strongly, the draft is no more, for now .
-A putsch from above-
Helped in that by what once was the "elite", a - pretending - general agreement emerged to restrict hacking publications without "ethical" peer review . They want to moderate your mind, the newsgroups, the mailing lists, all main vectors for public information not in accordance with strong content but with disclosure policies compliance. Legislation is on its way too. Can you say lobbying ? Can you see the ten villains ?
This will not go through.
--[1 - Accused, to whom the crime profits
--[1.1 - Software Vendors
Side note: In trying to sell you hype some uses confusion of terms. Very simple psychology: sell **** and call it a rose -or- say the rose is made of ****. It's amazing how many people calls free software programmers "Software Vendors". Don't get confused, one of them is not asking for money.
Here's a trade secret: out of a 100 found software vulnerabilities almost 100 will initially come from end users experiencing a bug, and passing the information around (also count disgruntled ex-employees passing code around).
There was a time when information couldn't flow, and as an end user you would have to pay to get a patch. Software Vendors are really longing this time.
How does "software insurance" smells to you ?
-So they want hackers to adopt "disclosure policies"-
The most candid argument is in warning the vendor will help to get the patch out before the vulnerability hurts. Everyday experience proves this to be a nonsense, because systems are actively exploited LONG before any kind of announcement , because vendors can sit for months on an unpublished bug .
The reasons why vendors are pushing for "d.p." is ... well more down to earth:
Without vulnerability announcements, products looks more secure: it helps the sales.
Working hand in hand with "ethical hackers" increases the credibility of the vendor: it helps the sales.
Forcing vulnerability authors to help vendors  allow them to benefit from a free task force: it helps to cut down the costs.
Asking for a delay between discovery and disclosure lets vendors have a happy face in front of the press. Good press helps the sales.
At last, knowing who authors the advisories helps vendors for more spin control.
--[1.2 - Security Service Firms
You can get software for intrusion detection, penetration tests, firewalling (etc ..) for free .
You can read from the Internet all necessary documents on security, and become an expert yourself.
Security Service Firms sells consultancy services and security software. Where does the competitive advantage stands ? Mainly in the level of expertise between you and them. Would it help those firms sales to restrict public access to "valuable" piece of information ?
It helps their sales to have access to early releases of security issues before you do.
It helps to cut down their costs to have the free community research those bugs for them.
So they want the community to submit all findings to a central intelligence that would sell early release of information to security firms, whom in turn sells you pattern updates for their tools and try to discredit free projects . Already, they are reports of big gaps between the sending of some advisory
to a well known security mailing list and the time it finally get published.
To discourage you from publishing information or to try access it those firms will work with governments to rule it illegal. Saying its military grade secrets . Which also fits political agenda to protect interests of "big business", and further control any free speech that could modify the current
balance of power.
To force you into buying consultancy you will see those firms soon working hand in hand with insurance companies that require "independent an professional peer review" of you entire computing infrastructure. As we know audit firms reports are the most qualified and trustworthy items one could find.
Then, what if running a software would require it to be "tested and approved", as well as the hardware  ?
--[1.3 - Fallacious "hackers"
Granted social engineering is part of hacking, you would be surprised how many renown "Ethical Hacker" have so poor coding skills.
The truth is they take credit for code anonymous writes, or better even, they say how bad they manage to exploit a bug but they won't publish for "ethical" reasons. The truth is that ruling it illegal to release exploits fits them perfectly, so they can still have you think they are "hackers" when they can't make the difference between a shell code and some ASCII art.
On a larger scale its the very understanding of what a "hacker" is that gets compromised. Until recently you would be called a "hacker" by peer review of your work, retribution by recognition of an intellectual elite. In the avail of , a "hacker" would not be a skilled individual but someone respectful of the "ethical" rules, accredited by security firms.
--[2 - Defendants, the rights at stake
--[2.1 - User Land, hear my cry
User rights is mostly unheard in the security world.
Everyone must have a rightful access to information to protect themselves against vulnerabilities and patch their systems in time.
Curiously security firms breaks their own disclosure policies when the affected software is free software  . What does that two-face attitude means ?
Early release in the event of free software (even before a patch is available),moderated information when money is engaged.
Without a warning, users are in a false sense of security.
When someone finds a bugs the only certainty is that the bug exists for as long as the software was initially released. As security firms recognize , underground exploits exists before any users hear publicly about the bug. Keeping a vulnerability private is just an open door to crackers.
Ironically crackers can even be tough new tricks by the "Ethical Hackers", granted they spawn a few thousands bucks for the exclusives .
--[2.2 - Hacker Space, free as in freedom
Hacking is a kind of science, and as such should be discussed on its logical basis by anyone that wish to participate where ever anonymously or not.
Discovering a vulnerability should not imply obligations of any kind for the discoverer - except publishing it, as an engagement towards the scientific community.
Hackers need anonymity for his own personal security - We've seen to many people in trouble with secret service and justice for publishing scientific facts, see the DeCSS case  or the Russian e-book hacker .
Also, some disclosure policies makes it compulsory for the bug discoverer to help vendors in reproducing and/or solving the bug. This is just not acceptable, discovering a vulnerability should follow military rule: fire and forget. It's not a hacker's job to solve the issue, he's not responsible for the existence of the bug in the first place.
--[3 - Indictment
Free hacking is in danger, not directly by an opposing force, not in a struggle of power, but by ex-hackers that have turn their face from scientific curiosity into greed. The very ones that took part in building the foundations of our common knowledge, want to steal our dreams and wrap it in a shiny paper.
The many ways in which they try to enforce control upon free hackers may be found throughout the reading of their "disclosure policies", that includes:
- The infamous "30 days delay" between informing a software vendor of a bug and the public at large -
This is ridiculous and should be a mere "30 days delay" after the initial release of the software before anything gets published simultaneously to all possible audience, because any bug could have been discovered and exploited at any time since then.
- Removal of exploit codes -
Users need to check if their systems are vulnerable: software and version numbers as included in announcement are not enough, a check is mandatory since software programmers often re-use the same code between various software .Hence, between bug announcement and proof of concept code release one could
choose for -no more than- a week delay.
- Multi-level moderation -
Usual media used for hacking discussion should never be moderated nor censored for anything else than accuracy. Would the information flow come to a stop, be prepared to wide open your wallet, because those would be the time of the mediocre tyranny.
Would some try to enforce their "disclosure" rules upon all, a new hacker network has to arise, totally free. For this purpose we prepare, and invite free hackers to join in the manifest below.
--[4 - Verdict
--- Free Hackers Manifest ---
This Manifest is published under the Free Documentation License (FDL)(http://www.gnu.org/copyleft/fdl.html), any publication made explicitly in respect with the terms hereby will also follow the FDL.
The author of a published document has the right to remain anonymous, and protect himself from further prosecution or pressure of any kind. His communication should be regarded as a scientific work and treated as such.
(3) Respect of others
The minimum amount of time before a software bug is published can not exceed 30 days after the initial software release, in respect of users protection whom systems are already exposed. Past the 30 days delay of the initial software release a security bug must be published as soon as possible.
A delay between the bug announcement and the proof of concept code (if available at the time) must not exceed 1 week for users to test the vulnerability of their systems.
Although announcement will be made by all means possible, Free Hackers freedom must be ensured at all times and as such some mediums of information might just be not suitable (as taking contact with vendors directly).
The Free Hackers recognize their scientific work was made possible thanks to the contribution of many others and will pursue the construction of that common knowledge for free. The Free Hackers will not participate in actions that goes against the spirit of this Manifest (such as holding restricted details of public announcements for private firms).
(4) Dormant network
A dormant network of Free Hackers is to be built, for this purpose everyone that agrees with the spirit of the manifest is encouraged to add his e-mail ROT-13 encoded (to foil spammers) below with the ones already there, and to show the document on his/her web site as u.r.l. "/Free-Hackers-Manifest.html".
Anonymous Free Hackers that wish to support the Manifest are encouraged to do so by having their e-mails added by a fellow Free Hacker on his/her web site.
Whenever it will be made clear that traditional means of public information are compromised to the point the above rules are systematically broken (like enforcing any kind of disclosure policies, delaying transmission of information or retaining technical details), the below list of e-mails will be used to activate a Free Hacker Network as such:
(a) Using a web search engine, one will look for every instance of "Free-Hackers-Manifest.html" were he could easily extract a list of Free Hackers e-mail. The web search engine could help in determining the most pertinent lists as being the most linked to, for instance.
(b) The group will work on releasing a client tool for a peer-to-peer network such as the freenet project (http://www.freenet.org), the release name for the tool will be
"Free-Hackers-Manifest-.tgz". The tool will be made
available by a link on the Manifest web page.
That network will allow for anonymous posting from web based mail client and user base moderation on source e-mails (per original posts and threads).
It must not be possible for any individual to alter the content of any message nor block its diffusion to others.
Spammers will be blocked on the client side, much like one does it with anti-spam code on his mail client, as well restrictions could be set on the number of message one individual is allowed to post per day.
(c) If a group name is required on that network it will be of "Free-Hackers-Manifest".
(5) ROT-13 e-mail list
--[5 - Reference
 Full Disclosure Policy (RFPolicy) v2.0
 Extract from "RFPolicy for vulnerability disclosure",
>My intent is not to push this policy onto the community. >Everyone can obviously do whatever they feel like. But *I* >will be using this disclosure policy in all future security >disclosures, and I encourage anyone wishing to use or modify >it, to do so.
 Responsible Vulnerability Disclosure Process,
 Bug-reporting standard proposal pulled from IETF
 Re: Remote Compromise Vulnerability in Apache HTTP Server
 Remember when RootShell claimed to be victim from a hack via ssh back in 1998, how long before the first advisories on SSH weaknesses ?
 Compare CVE assignement dates of
Also notice the synchronicity of assignements dates for different research groups, all released under Microsoft the same day.
 http://www.nessus.org, http://www.nmap.org, http://www.openwall.com, http://www.snort.org, http://netfilter.samba.org, ...
 No pointer - but http://www.nessus.org was not accessible to "unfair companies", which used nessus to generate a lot of cash, without helping the community in any way.
 Uniform Computer Information Transactions Act (UCITA)
 Digital rights management operating system
>A fundamental building block for client-side content security is
>a secure operating system. If a computer can be booted only
>into an operating system that itself honors content rights,
>and allows only compliant applications to access
>rights-restricted data, then data integrity within the machine >can be assured. This stepping-stone to a secure operating >system is sometimes called "Secure Boot." If secure boot >cannot be assured, then whatever rights management system the >secure OS provides, the computer can always be booted into an >insecure operating system as a step to compromise it.
 ISS Advisory clarification
Klaus, Chris (ISSAtlanta)
 ON THE CUTTING EDGE 2001: A Security Odyssey
>Under the proposal, coalition members would have a 30-day grace >period to disclose vulnerabilities with law enforcement >agencies, government agencies and their trusted client. In >theory, this will give software vendors a head start in >correcting the problem before anyone knows it exists.
>So far, Microsoft has drafted the support of BindView >(www.bindview.com), Foundstone(www.foundstone.com), Guardent >(www.guardent.com), @stake(www.atstake.com) and Internet >Security Systems (www.iss.net).
 Apache HTTP Server Exploit in Circulation
>ISS X-Force has learned that a functional remote Apache HTTP >Server exploit has been released. This exploit may have been >in use in the underground for some time.
 DVD hacker Johansen indicted in Norway
 Russian Author of Adobe eBook Password-Removing Software Held Without Bail, Faces Possible 5-Year Prison Term
 see numerous vulnerabilities announced after initial snmp bug, apache, or bind.
This document is pgp-signed below. Don't trust any claim of authorship unless that individual may produce the necessary PGP keys.
October 27th, 2002, 07:52 AM
November 11th, 2002, 03:04 AM
please dont ban me