Dailydave mailing list archives
Re: New presentation is up: 0days: How hacking reallyworks
From: Holden Williamson <limeyhaqr () gmail com>
Date: Sun, 6 Feb 2005 04:51:18 -0200
Dear list, I don´t wish to rain too heavily on everyone´s parade, but "real hacking" has very little to do with 0day and even less to do with remote exploits at all. Before dave got quite so hype about selling canvas he used to admit that 0days, and remote exploits in general (implicitly, at least) were for the "weekend warriors" - the penetration testing teams and the scriptkiddies. Remote exploits are of use to only these two catagories of attackers. Scriptkiddies because they have no understanding of true attack paradigms and penetration testers because they can only attack the scope of the target which they have been assigned. Any "real hacker" will already have set up "infrastructure" many years ago and will maintain this. "REAL HACKING" is done by having root on boxes and doing a lot of harvesting and correlation of password/auth token data. For example, if I wanted to own navy.mil I would not attack navy.mil, I would go via the Astronomy lab at the university of Maryland. Likewise when I want to own Microsoft I go via the computer science lab at Cambridge. The internet is a network of trust. You are only as secure as the weakest link in your chain of trust. This is an attack paradigm known to "REAL HACKERS" as Trusted Path Exploitation. Any penetration test cannot take into account your ISP or any other boxes logging into (or having access to in any way) your network. Therefore, if penetration testing without 0days is useless in the face of 0days then penetration testing with 0days (and therefore any penetration testing within the current legal bounds) is useless in the face of Trusted Path Execution, which is how all the "REAL HACKERS" do everything anyway. This whole thread is yet another iteration of the trend for people to turn hacking into some kind of game of academic masturbation. The sooner people realise that hacking is a psychological and not a technological game the sooner networks will become secure. Luckily for people like me this isn't going to happen very soon. Yours (very drunk) in motherfucking (brazillian) cyberspace - Holden Williamson AKA the limey haqr _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks robert (Feb 01)
- <Possible follow-ups>
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Hamid . K (Feb 01)
- Message not available
- Re: New presentation is up: 0days: How hacking reallyworks David Stein (Feb 02)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Anthony Zboralski (Feb 06)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)