Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"

[Robert Nickel <robert () artnickel com>]

</lurk>
First things, first.  I'm really enjoying this discussion.  As a
history/computer science dual major, this entire thread has been quite
engaging.

On 2005.09.21 14:21:00 -0400, Marcus J. Ranum wrote:
[...]
> Oh, sure, bugs are getting fixed (because the vendors are faced
> with the alternative of knowing their customers will be victimized
> immediately if they don't) - but it has created a coercive
> environment in which security practitioners are spending more
> time fighting thousands of brush-fires (look! another IE bug!)
> than doing anything useful. It depresses me because it appears
> that vendors are so much time hunting nitpicky bugs and rolling
> patch releases that they still don't have time to architect their
> products well. The message is getting lost in the noise. So,
> where is this great benefit?

This is not really a valid argument.  You can't say that a product released
with a bevy of vulnerabilities was well architected or could have been better
architected if it was, in fact, a new product.

For lack of a better example, does anyone actually believe that *any*
additional time was added to the architectural phase of Windows releases
through 2003 because of security issues with older products?  If so, why did
so many vulnerabilities make return appearances in each new OS version?

> Certainly, the amount of vulnerability disclosure and dissemination
> of exploits that has been going on since the early 90s has been
> a tremendous benefit to all the script kiddies, spammers, and
> bot-netters. It's been a tremendous benefit in that it has created
> a whole market for rapid application of software patches. It's
> turned a whole industry into idiots running around like crazed
> weasels slapping band-aids on things because they don't have
> time to think. Is this great benefit?

Agreed.  The trade of systems administration has been complicated by folks
pushing patches more than best practices.  I would however submit that this is
as much a problem with the software vendors as the vulnerability researchers.
Telling someone that they put a booger on your face when they point it out
isn't really a good idea.

Knowledge of how your network/systems operate eliminates a good deal of the
urgency to patch that is percieved in IT today.  Perhaps you can convince
vendors to reduce the feature set of their software?  Maybe CTO's will start
to focus on needs instead of wants.  

Maybe a monkey will fly out of my nose.  (Or yours.  Please write if it does).  ;-)

[...]
> Why not? Because it ignores the reality that information is not
> value-neutral. Information IS a weapon. Even casual reflection on
> the history of warfare should make this abundantly evident.
>
> Thus the idea that: "information should be available to
> anyone that can make use of it" is ridiculous, unless you assume
> that everyone is marching toward a common purpose. They are
> not, in warfare or in internet security.
[...]
> I am not advocating ignorance and I am not saying that information
> should not be shared. I am, however, advocating that information
> be treated as potentially harmful and that the impact of sharing it
> should always be carefully assessed. An ideology of "publish everything"
> is ridiculous - by that logic the US Government should post
> plans for hydrogen bombs, delivery systems, and gyroscopic
> controls along with the exact GPS coordinates of the containment
> vessels for civilian nuclear reactors.
>
> So, yes, I am aware of the "information sharing" ideology and
> I think it's utterly foolish.

This seems to me a difficult position to align with free speech advocacy.  I
agree with *not* releasing hydrogen bomb plans, those happen to be state
secrets and a touch more devastating than shell code.

Comparing these two seems a bit of a stretch though.  First, there aren't
millions of people housing their personal information in hydrogen bombs and
second, the argument that someone needs a computer program is much more
defendable than saying someone needs a hydrogen bomb.  I understand the rant,
I'm just having difficulty swallowing the comparison.

Besides, who's going to edit the internet for content when you're not
available? ;-)

[...]
> But virtual every moral philosophy around which societies are
> built carries the assumption within them that the person who
> trespasses is WRONG. The person who steals is WRONG.
> The person who hacks my machine is WRONG. The person
> who rapes or kills is WRONG. It is never the victim's fault.

Agreed.  Exonerating the perpetrator of an intrusion by saying, "You should've
patched," to the victim is inexcusable.  I doubt that most [1] security
researchers are willing to place the blame on the victim.  Most likely,
they're operating under the hope/ideal that their research may give software
vendors reason to change their habits from architect for maximum profit,
patch, patch, ... to architect for profit balanced with security, patch if
necessary.

Although Immunity's business model may be morally questionable [2], it's better
than having Dave and company underground doing 0day trading, yes?

[...]
> This is "military intelligence 101" -- so tell me what makes you
> so sure that the "researchers" are publishing their really good
> stuff? Naive hope?

I hope there's someone above ground that can stand on that researchers low-end
research and make the leap ahead to his better stuff.

Naive?  Probably.

Enough to make me buy a foil hat?  No.  I make my own! :)

[...]
> What about giving information to those who DO harm innocents?
> What about aiding and abetting those who harm innocents?
> What about teaching those who harm innocents? What about
>         showing them how to write better malware, or how to
>         do shellcoding better?
> At a certain point, you CANNOT claim your hands are clean
> anymore, can you?

This is silly:

  What about plog being the basis for a hack that harmed innocents?

Suddenly your criterion above come very close to home.  Is releasing the code
to your software part of the above?

The argument here is intent.  Proving that is where the difficulty lies (e.g.
sendmail was likely written with the best of intentions).

[...]
> Fool. Without hacking THERE WOULD BE NO PROBLEM
> WITH THE SYSTEMS AT ALL.

Ouch!

Difficult chicken and egg problem there. [3]

--Robert

[1] totally unscientific hand-waving here.
[2] based on my reading of mjr postings.
[3] http://en.wikipedia.org/wiki/Tech_Model_Railroad_Club
<lurk>