Well, sometimes when you hit certain plateaus, you sometimes feel the need to "espouse" something great.

This won't necessarily be great but *eh*.. it'll do.

AO has come a long way from when I first joined and lurked. I came here because of "troublesome" students (particularly one brightness who printed out ALL his video pr0n --- I figured he wanted to make a flip book or something... *shrug*). Anyways, since then the direction and feel of the site has changed. Maybe for good, maybe for bad. It has changed however.

One of the changes that has occurred is the attitude I find that people take towards "hacking" (I'm using the general term rather than what I envision "hacking" to mean -- those that truly understand the system in question, be it an OS, a network, the art of hockey or cycling). I took from this site, and still believe, that to truly understand what goes on as far as malicious attacks, you need to know and understand those attacks. It helps you defend your systems. There shouldn't be a fear of discussing those attacks in these forums (I see too often the whipped out "THIS IS A SECURITY FORUM, YOU MORON!"). The advantage of letting those "morons" talk is that you'll see sometimes what some attackers are doing, even if they are script kiddies. Keep in mind that they will do their illegal activities regardless of the answer they get here. The difference is that you won't know who their target is and won't be able to prevent it from happening (errr.. social engineering anyone?!).

I choose to have wargames in my classes so that students can explore this safely and legally in an environment without having to go outside and potentially get arrested. Granted I do tend to use a fair amount of ethics and remind them of the legal issues that can happen but at least in this environment they can let out what it is they want. Is this a perfect solution? Naw but it helps. It can get a few over the scriptkiddie stage and that initial "oh look how kewl this is!!!!" giggles that comes with first experiments. It's interesting to see them go beyond that when it comes to security because now they've looked at even the simplistic and start (*GASP*) thinking outside of the standard "security practises" box.

IMO, if we ignore the activities of even the simplest scriptkiddies we'll end up behind again in our defenses of systems (do a search for University of Berkley and Nipissing University for recent examples). We will ignore the simple while looking for finesse. We'll never find the finesse, however, if we don't see the basics (mostly because it'll stand out in stark contrast). In essense we do need the Full Disclosure option to be here. I joined the FD list so that I could see more of what goes on and have a better heads up than what the SecurityFocus lists (BugTraq in particular) provide. I find that BT tends to be behind somewhat and censors out too much. Symantec may believe, much like MS, that "exploits are only created after patches are released" but I believe that's too risky of a view to have. I'd rather have everyone know about a problem and even put in a "Bandage" temp solution than no solution. Not that patch systems work either (I'm surprised that more Patch Management companies aren't making killings out there).

Is having FD a perfect solution? No. It may bring to light to some attackers that a specific hole exists without any fixes (even if we have followed proper bug submittal procedures -- that is, submit it to the software developer and give them 4-6 weeks to fix) but I suspect there are still channels that the "underground" use and they'll find out somehow, wouldn't they? Even with that risk I'd rather have everyone know -- even if it means scriptkiddies will use the POC -- than attempt some half-assed "security through obscurity" by trying to hide it until a patch can be produced.

Anyways, that's my "great post" for this plateau. Perhaps not so earth shattering but maybe some will consider it when responding to the "how do I ....". Knowledge and information are powerful things. Why are we choosing to ignore them?