members giving out info for attacks

[dmorgan]

ok, I am sorry if I offend anybody, but it is my belief that this website is for making security better for the civilized world. Lately (and correct me if I am mistaken) I have noticed a trend. People (some seniors) on this site telling (obvious) idiots how to escilate privelege / spy on co-workers/ otherwise gain un-approved access.
Maybe it's just me, but I would like to see this site stick to its original theme; (real) security for (real ) security minded individuals. Not to put anybody into genres, but white-hats. Maybe I am just being paranoid or whatever, but please... let's keep the sploiter/crackers out there... not in here. If anybody feels different, I welcome disagreement. (not to start an agrument, but open discussion. And before you post, I know I am a junior member w\ barely any points) But let's keep this site for what it was meant for.

[Agent_Steal]

how to escilate privelege / spy on co-workers/ otherwise gain un-approved access.

Curious have you read any of the Hacking Exposed books ? Google Hacking ?? It's not like there telling them something that they wouldn't read in these books... Well asking members to watch what they post well ummm trust me it wont work....

BTW plenty of legit security websites offer info on how to do those things as well .....

[dmorgan]

I own several of the books, and you are right... they can learn this stuff from those books. But I was just saying that (as I view it) this site isn't meant for that kind of research. If they want ... Go but the book, and read it. I got nothin against that. I was just saying that this site isn't for that (in my humble opinion)

[Black Cluster]

Do you learn how to use a machine gun to kill or to defend yourself? You will say it dependes and I Know ..........

It is well-known that in order to find countermeasures for something you should know how the attack functions and take place ........

[Striek]

The point that, in order to defend a system from attacks, you must first understand those attacks and how they function, is already well understood. I believe what is being argued here is whether or not the publication of those attacks is sound practice. Before looking at this site and judging it by the attacks published on it, have a look at http://cve.mitre.org, which publishes known vulnerabilities for everyone to see. At http://www.securityfocus.com/bid, you can even find ready-made exploits for many of the more common known vulnerabilites. Nobody has questioned the importance, or the ethics, of publishing these. There is a strong historical and present precedent for publishing attacks.

By saying that the publication of attacks will hurt the Internet as a whole, you are assuming quite a bit, such as:

1) Attackers cannot find this information elsewhere
2) Attackers will not find avenues of exploitation without this information
3) The existence of such information here will increase the number of attacks
4) Said information will create attackers, script kiddies, black hats, or whatever you want to call them

Simply put, this is untrue. Potentially harmful information can not only be found on "whitehat" sites, but also on underground sites, "grey hat" sites, printed works, and so on. The number of publicly available sources of this information is innumerable. However, the simple fact that others publish this information is not enough to justify its spread.

Even if this information were not published, attackers would find ways to compromise systems without it. Granted, the number of these attackers would be far fewer, however the people equipped to defend against such attacks would be far fewer as well. Beyond that, an attacker is made by desire and motivation, not by the information available to him/her. This desire and motivation is in and of itself sufficient to create an attacker out of any properly motivated individual, independent of available information.

Believing that this information will increase the number of attacks in the wild is also a delusion. What is in debate on this point is the definition of an "attack". While this information may indeed increase the number of "script kiddie" type attacks, these attacks are easily prevented with minimal security measures and program updates. Some people may indeed come here, learn a new attack, and put that attack into practice. However, most of these attacks are already well known by the time they are published here. The threat of thier increased use is minimal as measures already exist to defend against them. This site does not merely publish attacks, but also the methods used to defend against them. Serious members here respect that credo and offer defenses to attacks they publish. What this information will not do, however, is increase the number of serious threats against IT security. These threats come from individuals with knowledge far greater than what is offered here; knowledge that can only be gained through a lifelong pursuit of IT security and its loopholes, and not by the application of a set of instructions for which countermeasures already exist.

As discussed earlier, this information will not create malicious users either. An Internet forum would have a very difficult job of converting people to the "dark side", especially without any effort. We are not trying to do this here. This motivation is born in an individual. By the time they are capable of applying such attacks they are long aware of the values of right and wrong. The decision of whether to use information for good or evil has already been made long before a visitor arrives at this site.

What we attempt to create here is a place where people can come to discuss problems and threats in a friendly atmosphere with a personal touch. I cannot count the number of times people have posted a question to which their first reply is an expression of amazement at how quickly they found a response waiting for them. Although we publish attacks and educate people on methods to use them, we apply a personal touch, which hopefully will subtly teach the human impact that potential attacks might have - the one aspect usually unknown to neophytes.

And as long as we're classyfing this site by the hat it wears, this site, since going mainstream, has always been a greyhat site. It was once described as the conveyor belt between the underground and the corporate security world. We attempt to bring exploits and their countermeasures together in a friendly, personal environment. I think we do that quite well.

Now as far as keeping the skiddies out, I think we do a good enough job of that already. These people are usually quickly identified and humiliated / flogged / slapped around a bit with a large trout. Identifying them is not difficult.

This site once operated under the motto "Hackers know the weaknesses in your system. Shouldn't you?" I belive that remains to this day the driving principle behind this forum.

[gore]

Originally posted here by Black Cluster
Do you learn how to use a machine gun to kill or to defend yourself? You will say it dependes and I Know ..........

It is well-known that in order to find countermeasures for something you should know how the attack functions and take place ........

Adding to this, weather you're defending yourself or attacking, you have to know how to pull the trigger.

[dmorgan]

Ok, so the next time some kid comes here and asks how to use knoppix to get by his schools defensive policies, I should just tell him, because this knowlege is already out there ?
Sure, knowing how an attack works is very helpful to preventing it, it is not neccesity. I don't think you NEED to know how that patch modifies your operating system (regardless of whether you should know or not) to patch your system.
Maybe I am being naive, but it doesn't seem right to me.

some guy comes in here and asks how to recover a password he has from a hash (god knows how he got the hash, if he doesn't know how to use cain or john) I someone happily tells him ? I dunno.

[MrLinus]

some guy comes in here and asks how to recover a password he has from a hash (god knows how he got the hash, if he doesn't know how to use cain or john) I someone happily tells him ? I dunno.

That choice is yours. If you choose not to do it, then don't. There is no requirement to do so. If others choose to do so, they can.

But, with each they have to be satisfied with their own ethics. I've seen many members question and challenge those that straight out say they want to by-pass company/school defenses. On the flip side, I encourage my students to break into each others machines in class. So if they were coming here looking for advice, it'd be legitimate and I'd personally have no issue nor would I question their ethics on it.

Really, what it boils down to is what the true ethics and desire of the poster is. There is no way we can 100% say for sure that they will be 100% ethical or 100% unethical. Some may be exploring at home for the sake of exploration in a safe environment. Some may be truly doing damage outside. We don't know and we really can't make assumptions either way.

All that you can do is what *YOU* feel is in good conscience.

[dmorgan]

Ahh hell, maybe this time I have to bow out and accept the facts. MsMittens is right.

All that you can do is what *YOU* feel is in good conscience.

I suppose this really is the correct way to go about things. good luck trying to change another's ethics... i will continue to do what I think is right, and you guys will too.. hope it is and see ya on the boards