"Free Hacker Manifest"

[full-disclosure () lists netsys com (Steve)]

Here is the original poster.  Possibly the author.

Date: Sat, 03 Aug 2002 09:05:10 -0400
From: qwerty qwerty <qwertyqwerty_15 () lycos com>
To: bugtraq () securityfocus com
Subject: Free Hackers Manifest

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Len Rose
> Sent: Saturday, August 03, 2002 6:19 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] "Free Hacker Manifest"
>
>
> I just received this in my mail, I have no clue as to the 
> identity of the person who sent it to me.
>
> ################################ begin inclusion 
> ###########################################
>
> |=-----------------------------=[ Judgment Day 
> |]=-----------------------------=| 
> |=------------------------------------------------------------
> ----------------=|
> |=-------------------------=[ Free Hackers Manifest 
> ]=------------------------=|
>
>
>                Free Hackers versus "Ethical-Corporate-Hackers"
>
>
> In respect  with  the  spirit  of  the  manifest  Authors  
> will  remain  forever
> anonymous.  The  manifest  is  offered  to  the   community   
> under   the   Free
> Documentation License (FDL) [http://www.gnu.org/copyleft/fdl.html].
>
>
> --[ Contents
>
>  0 - Facts
>
>  1 - Accused, to whom the crime profits
>  
>    1.1 - Software Vendors
>    1.2 - Security Service Firms
>    1.3 - Fallacious "hackers"
>
>
>  2 - Defendants, the rights at stake
>  
>    2.1 - User Land, hear my cry
>    2.2 - Hacker Space, free as in freedom
>
>
>  3 - Indictment
>  
>
>  4 - Verdict
>
>
>  5 - Reference
>
>
>
> --[0 - Facts
>
> Some will share, others will keep gems to themselves.
>
> We are judge to none.
>
> Today some wish to force the ones that shares, not to,  for  
> it  depreciate  the value of greed.
>
> We will defend freedom, and fight  to  preserve  the  
> open-space,  that  air  we breath.
>
> -What happened ?-
>
> Once upon a time many of those "Chief  Technologists/Hacking  
> Officers"  of  the flourishing security industry were just a 
> bunch of young  pranksters  eager  for technology.
>
> And the pranksters collected into groups lurking on  some  
> computing  specifics: hacking. Many good things arose from 
> those groups, sweets for the brain.
>
> And the groups got respect, for their findings came atop a 
> pyramid of  knowledge that every one helped build. 
> Recognition by peers,  ultimately  being  called  a "hacker", 
> was the highest retribution.
>
> And the kids went to high school to get an MBA,  get  a  car, 
>  get  a  job,  get money, try to make an aggressive buy-up on 
> that pyramid, trade it  for  a  buck. In the same course 
> raise of communication and Internet growth  had  Corporations 
> began to fear those strange pizza-cola eaters:  The  
> corporate  knowledge,  they called "trade secrets", they did 
> not want to trade with hackers - at all.
>
> Secret  service  has a  saying:  "kiss  the  hand  you  
> couldn't  cut",  and  so corporations cunningly inflated 
> pizzas with money,  and  some  "old  school-full 
> disclosure-non profit hackers" turned  to  security  firms  
> belly  dancing  with software vendors.
>
> -Then-
>
> Some started regulating with "disclosure policies" [1] [2], 
> their publishing  of knowledge. Not yet "Non-Disclosure 
> Agreements" though, but a step  forward  into the semantics. 
> And called it "ethic" ... toward whom ?
>
> -The unthinkable happened-
>
> In a more radical move a bunch tried to -how funny- hack IETF 
>  and  push  for  a generic disclosure policy [3].  Can  you  
> see  that  -how  strange-  Microsoft's employee in the " 
> Aknowledgement " section of the document  ?  All  bullets  
> for the underground, all benefits for the corporate. No 
> commitments to  the  people. Thankfully IETF reacted 
> strongly, the draft is no more, for now [4].
>
> -A putsch from above-
>
> Helped in that by what once was the "elite", a - pretending - 
> general  agreement emerged to restrict hacking publications  
> without  "ethical"  peer  review  [5]. They want to moderate 
> your mind, the newsgroups, the  mailing  lists,  all  main 
> vectors for public information not in accordance with strong  
> content  but  with disclosure policies compliance. 
> Legislation is on  its  way  too.  Can  you  say lobbying ? 
> Can you see the ten villains ?
>
> This will not go through.
>
>
> --[1 - Accused, to whom the crime profits
>
>
>    --[1.1 - Software Vendors
>     
> Side note: In trying to sell  you  hype  some  uses  
> confusion  of  terms.  Very simple psychology: sell shit and  
> call it a rose -or- say the rose  is  made  of shit. It's 
> amazing how many people calls  free  software  programmers  
> "Software Vendors". Don't get confused, one of them is not 
> asking for money.
>
> Here's a trade secret: out of a 100 found software  
> vulnerabilities  almost  100 will initially  come  from  end  
> users  experiencing  a  bug,  and  passing  the information 
> around (also count disgruntled ex-employees passing code around).
>
> There was a time when information couldn't flow, and as an 
> end  user  you  would have to pay to get a patch. Software 
> Vendors are really longing this time.
>
> How does "software insurance" smells to you ?
>
> -So they want hackers to adopt "disclosure policies"-
>
> The most candid argument is in warning the vendor will help  
> to  get  the  patch out before the vulnerability hurts. 
> Everyday experience  proves  this  to  be  a nonsense, 
> because systems  are  actively  exploited  LONG  before  any  
> kind  of announcement [6], because vendors can sit for months 
> on an unpublished bug [7].
>
> The reasons why vendors are pushing for "d.p." is ... well 
> more down to earth:
>
> Without vulnerability  announcements, products looks more 
> secure: it  helps  the sales.
>
> Working hand in hand with "ethical hackers" increases  the  
> credibility  of  the
> vendor: it helps the sales.
>
> Forcing vulnerability authors to help vendors [3] allow them 
> to benefit  from  a free task force: it helps to cut down the costs.
>
> Asking for a delay between discovery and disclosure lets 
> vendors  have  a  happy face in front of the press. Good 
> press helps the sales.
>
> At last, knowing  who  authors  the  advisories  helps  
> vendors  for  more  spin control.
>
>
>    --[1.2 - Security Service Firms
>
> You can get software for intrusion  detection,  penetration  
> tests,  firewalling (etc ..) for free [8].
>
> You can read from the Internet all necessary documents on 
> security,  and  become an expert yourself.
>
> Security Service Firms sells consultancy services and 
> security  software.  Where does the competitive advantage  
> stands  ?  Mainly  in  the  level  of  expertise between you 
> and them. Would it help those firms sales to restrict public  
> access to "valuable" piece of information ?
>
> It helps their sales to have access to early releases of 
> security issues  before you do.
>
> It helps to cut down their costs to have the free community 
> research those  bugs for them.
>
> So they want the community to submit all  findings  to  a  
> central  intelligence that would sell early release of 
> information to security  firms,  whom  in  turn sells you 
> pattern updates for their tools and try  to  discredit  free  
> projects [9]. Already, they are reports of big gaps between 
> the sending of some  advisory to a well known security 
> mailing list and the time it finally get published.
>
> To discourage you from publishing information or to try 
> access  it  those  firms will work with governments  to  rule 
>  it  illegal.  Saying  its  military  grade secrets [10]. 
> Which also fits political agenda  to  protect  interests  of  
> "big business", and further control any free speech that  
> could  modify  the  current balance of power.
>
> To force you into buying consultancy you will see those firms 
> soon working  hand in hand with insurance companies that 
> require "independent an professional  peer review" of you 
> entire computing infrastructure. As we know audit  firms  
> reports are the most qualified and trustworthy items one could find.
>
> Then, what if running a software would require it to be 
> "tested  and  approved", as well as the hardware [11] ?
>
>
>    --[1.3 - Fallacious "hackers"
>
> Granted social engineering is part of hacking, you would be 
> surprised  how  many renown "Ethical Hacker" have so poor 
> coding skills.
>
> The truth is they take credit for code anonymous writes, or  
> better  even,  they say how bad they manage to exploit a bug 
> but they won't  publish  for  "ethical" reasons. The truth is 
> that ruling it  illegal  to  release  exploits  fits  them 
> perfectly, so they can still have you think they are 
> "hackers" when  they  can't make the difference between a 
> shell code and some ASCII art.
>
> On a larger scale its the very understanding of what a  
> "hacker"  is  that  gets compromised. Until recently you 
> would be called a "hacker"  by  peer  review  of your work, 
> retribution by recognition of an intellectual elite. In the 
> avail  of [3], a "hacker" would not be a skilled individual 
> but someone respectful of  the "ethical" rules, accredited by 
> security firms.
>
>
> --[2 - Defendants, the rights at stake
>
>    --[2.1 - User Land, hear my cry
>    
> User rights is mostly unheard in the security world.
>
> Everyone must have a  rightful  access  to  information  to  
> protect  themselves against vulnerabilities and patch their 
> systems in time.
>
> Curiously security firms breaks their own disclosure policies 
> when the  affected software is free software [12] [13]. What 
> does that two-face  attitude  means  ? Early release in the 
> event of free software (even before a patch is  available), 
> moderated information when money is engaged.
>
> Without a warning, users are in a false sense of security.
>
> When someone finds a bugs the only certainty is that the bug 
> exists for as  long as the software was  initially  released. 
>  As  security  firms  recognize  [14], underground exploits 
> exists before  any  users  hear  publicly  about  the  bug. 
> Keeping a vulnerability private is just an open door to crackers.
>
> Ironically crackers can even be tough  new  tricks  by  the  
> "Ethical  Hackers", granted they spawn a few thousands bucks 
> for the exclusives [15].
>
>
>    --[2.2 - Hacker Space, free as in freedom
>
> Hacking is a kind of science, and as such should be  
> discussed  on  its  logical basis by anyone  that  wish  to  
> participate  where  ever  anonymously  or  not. Discovering a 
> vulnerability should not imply obligations of  any  kind  for 
>  the discoverer - except publishing it,  as  an  engagement  
> towards  the  scientific community.
>
> Hackers need anonymity for his own  personal  security  -  
> We've  seen  to  many people in trouble with secret service  
> and  justice  for  publishing  scientific facts, see the 
> DeCSS case [16] or the Russian e-book hacker [17].
>
> Also, some disclosure policies makes it compulsory for  the  
> bug  discoverer  to
> help  vendors  in  reproducing  and/or  solving  the  bug.  
> This  is  just   not
> acceptable, discovering a vulnerability should follow 
> military  rule:  fire  and forget. It's not a hacker's job to 
> solve the issue,  he's  not  responsible  for the existence 
> of the bug in the first place.
>
>
> --[3 - Indictment
>
> Free hacking is in danger, not directly by an opposing force, 
> not in a  struggle of power, but by ex-hackers that have turn 
> their face from scientific  curiosity into greed. The very 
> ones that took part in  building  the  foundations  of  our 
> common knowledge, want to steal our dreams and wrap it in a 
> shiny paper.
>
> The many ways in which they try to enforce control  upon  
> free  hackers  may  be found throughout the reading of their 
> "disclosure policies", that includes:
>
> - The infamous "30 days delay" between informing a software 
> vendor of a bug  and the public at large -
>
> This is ridiculous and should be a  mere  "30  days  delay"  
> after  the  initial release of the software before anything 
> gets  published  simultaneously  to  all possible audience, 
> because any bug could have been discovered and  exploited  at 
> any time since then.
>
> - Removal of exploit codes -
>
> Users need to check if  their  systems  are  vulnerable:  
> software  and  version numbers as included in announcement 
> are not enough, a check is  mandatory  since software 
> programmers often re-use the same code between various  
> software  [18]. Hence, between bug announcement and proof of  
> concept  code  release  one  could choose for -no more than- 
> a week delay.
>
> - Multi-level moderation -
>
> Usual media used for hacking discussion should never be 
> moderated  nor  censored for anything else than accuracy. 
> Would the information flow come to a  stop,  be prepared to 
> wide open your wallet, because  those  would  be  the  time  
> of  the mediocre tyranny.
>
> Would some try to enforce their  "disclosure"  rules  upon  
> all,  a  new  hacker network has to arise, totally free. For 
> this  purpose  we  prepare,  and  invite free hackers to join 
> in the manifest below.
>
>
> --[4 - Verdict
>
>
>
>                            --- Free Hackers Manifest ---
>
> (1) Licensing
>
> This  Manifest  is  published  under  the  Free  
> Documentation   License   (FDL)
> (http://www.gnu.org/copyleft/fdl.html),  any  publication  
> made  explicitly   in
> respect with the terms hereby will also follow the FDL.
>
> (2) Freedom
>
> The author of a published document  has  the  right  to  
> remain  anonymous,  and
> protect  himself  from  further  prosecution  or  pressure  
> of  any  kind.   His
> communication should be regarded as a scientific work and 
> treated as such.
>
> (3) Respect of others
>
> The minimum amount of time before a software bug is published 
> can not exceed  30 days after the initial software release, 
> in respect  of  users  protection  whom systems are already 
> exposed. Past the 30 days  delay  of  the  initial  software 
> release a security bug must be published as soon as possible.
>
> A delay between  the  bug  announcement  and  the  proof  of  
> concept  code  (if available  at  the  time)  must  not  
> exceed  1  week  for  users  to  test  the vulnerability of 
> their systems.
>
> Although announcement will be made by all means possible, 
> Free  Hackers  freedom must be ensured at all times and as 
> such some mediums of information might  just be not suitable 
> (as taking contact with vendors directly).
>
> The Free Hackers recognize their scientific work was  made  
> possible  thanks  to the contribution of many others and will 
> pursue the construction of that  common knowledge for free. 
> The Free Hackers will not participate in actions  that  goes 
> against the spirit of this Manifest  (such  as  holding  
> restricted  details  of public announcements for private firms).
>
> (4) Dormant network
>
> A dormant network of Free Hackers is to be  built,  for  this 
>  purpose  everyone that agrees with the spirit of the 
> manifest is  encouraged  to  add  his  e-mail ROT-13 encoded 
> (to foil spammers) below with the  ones  already  there,  and  to
> show     the     document     on     his/her     web     site 
>      as     u.r.l.
> "<web-site>/Free-Hackers-Manifest.html".
>
> Anonymous Free Hackers that wish to support the Manifest are 
> encouraged to do so by having their e-mails added by a fellow 
> Free Hacker on his/her web site.
>
> Whenever it will be made clear that traditional means of 
> public information  are compromised to the  point  the  above 
>  rules  are  systematically  broken  (like enforcing any kind 
> of disclosure policies, delaying transmission of  information 
> or retaining technical details), the below  list  of  e-mails 
>  will  be  used to activate a Free Hacker Network as such:
>
>  (a) Using a web search engine, one will look for every  instance  of
>      "Free-Hackers-Manifest.html" were he could easily extract a list
>      of Free Hackers e-mail. The web  search  engine  could  help  in
>      determining the most pertinent lists as being the most linked to,
>      for instance.
>  
>  (b) The group will work on releasing a client tool for a peer-to-peer
>      network such as the freenet project (http://www.freenet.org), the
>      release name for the tool will be
>      "Free-Hackers-Manifest-<YYYY/MM/DD>.tgz". The tool will  be  made
>      available by a link on the Manifest web page.
>  
>      That network will allow for anonymous posting from web based mail
>      client and user base moderation on source e-mails  (per  original
>      posts and threads).
>  
>      It must not be possible for any individual to alter  the  content
>      of any message nor block its diffusion to others.
>  
>      Spammers will be blocked on the client side, much like  one  does
>      it with anti-spam code on his mail client, as  well  restrictions
>      could be set on the number of message one individual  is  allowed
>      to post per day.
>  
>  (c) If a group name is  required  on  that  network  it  will  be  of
>      "Free-Hackers-Manifest".
>
> (5) ROT-13 e-mail list
>
> sbb@one;
>
>                            -----------------------------
>
>
>
> --[5 - Reference
>
>
> [1] Full Disclosure Policy (RFPolicy) v2.0
>     http://www.wiretrip.net/rfp/policy.html
>
>
> [2] Extract from "RFPolicy for vulnerability disclosure",
>     http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0908.html
>
>     > My intent is not to push this policy  onto  the  
> community.  Everyone  can
>     > obviously do  whatever  they  feel  like.  But  *I*  
> will  be  using  this
>     > disclosure policy in all future  security  disclosures, 
>  and  I  encourage
>     > anyone  wishing to use or modify it, to do so.
>
>
> [3] Responsible Vulnerability Disclosure Process,
>     
> http://www.ietf.org/internet-drafts/draft-christey-wysopal-vul
> n-disclosure-00.txt
>
>
> [4] Bug-reporting standard proposal pulled from IETF
>     
> http://www.computerworld.com/securitytopics/security/story/0,1
> 0801,69391,00.html
>
>
> [5] Re: Remote Compromise Vulnerability in Apache HTTP Server
>     David Litchfield <david () ngssoftware com>
>     
> http://online.securityfocus.com/archive/1/277259/2002-06-14/20
> 02-06-20/0
>
>
> [6] Remember when RootShell claimed to be victim from a hack  
> via  ssh  back  in
>     1998,  how  long   before   the   first   advisories   on 
>  SSH  weaknesses ?
>     
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&th
> =9a1078fad663e9e&rnum=1
>
>
> [7] Compare CVE assignement dates of
>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0071
>     and
>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079
>     with
>      
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/bulletin/ms02-018.asp
>     Also notice the synchronicity  of  assignements dates for 
> different research
>     groups, all released under Microsoft the same day.
>
>
> [8] http://www.nessus.org,     http://www.nmap.org,     
> http://www.openwall.com,
>     http://www.snort.org, http://netfilter.samba.org, ...
>
>
> [9] No pointer  -  but  http://www.nessus.org  was  not  
> accessible  to  "unfair
>     companies", which used nessus to generate a lot of cash, 
> without helping the
>     community in any way.
>
>
> [10] Uniform Computer Information Transactions Act (UCITA)
>      http://www.arl.org/info/frn/copy/ucitapg.html
>
>
> [11] Digital rights management operating system
>      
> http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HIT
> OFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='6,330,
> 670'.WKU.&OS=PN/6,330,670&RS=PN/6,330,670
>
>      > A fundamental building block for client-side content 
> security is a secure
>      > operating system. If a computer can be  booted  only  
> into  an  operating
>      > system that itself honors  content  rights,  and  
> allows  only  compliant
>      > applications to access rights-restricted data, then 
> data integrity within
>      > the machine can be assured. This stepping-stone  to  a 
>  secure  operating
>      > system is sometimes  called  "Secure Boot."  If  
> secure  boot  cannot  be
>      > assured, then whatever rights management system the 
> secure  OS  provides,
>      > the computer can always be booted into an insecure 
> operating system as  a
>      > step to compromise it.
>
>
> [12] ISS Advisory clarification
>      Klaus,  Chris (ISSAtlanta) <CKlaus () iss net>
>      
> http://online.securityfocus.com/archive/1/278189/2002-06-15/20
> 02-06-21/0
>
>
> [13] ON THE CUTTING EDGE 2001: A Security Odyssey
>      
> http://www.infosecuritymag.com/articles/december01/departments
> _news.shtml
>
>      > Under the proposal, coalition members would have a 
> 30-day grace period to
>      > disclose  vulnerabilities  with  law  enforcement   
> agencies,  government
>      > agencies and their trusted client. In theory,  this  
> will  give  software
>      > vendors a head start in correcting the problem  before 
>  anyone  knows  it 
>      > exists.
>      >
>      > So far, Microsoft has drafted the support of BindView 
> (www.bindview.com),
>      > Foundstone   (www.foundstone.com),  Guardent  
> (www.guardent.com),  @stake
>      > (www.atstake.com) and Internet Security Systems (www.iss.net).
>
>
> [14] Apache HTTP Server Exploit in Circulation
>      
> http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?
> oid=20524
>
>      > ISS X-Force has learned that  a  functional  remote  
> Apache  HTTP  Server
>      > exploit has been released. This exploit may  have  
> been  in  use  in  the
>      > underground for some time.
>
>
> [15] http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html
>      
> https://www.worldwideregistration.com/registration/vegas-black
hat-usa.html


[16] DVD hacker Johansen indicted in Norway
 
http://wneclaw.wnec.edu/faculty/kalodner/courses/softwarelaw/JohansenArr
est.html


[17] Russian Author of Adobe eBook Password-Removing Software Held
Without Bail,
     Faces Possible 5-Year Prison Term
     http://www.ebookweb.org/news/tech.20010716.elcomsoft.roush.htm


[18] see numerous vulnerabilities announced  after  initial  snmp  bug,
apache,
     or bind.




This document is pgp-signed below. Don't trust any claim of authorship
unless that individual may produce the necessary PGP keys.

iD8DBQE9LX2siFdkMnNRCv0RAnAKAKCmAo2B/dnUdpahsaPudQsLIiQJKACfQeXV
joLXFpUVRZZQGHCl0VrTyEE=
=OPrO



__________________________________________________________
Win a First Class Trip to Hawaii to Vacation Elvis Style!
http://r.lycos.com/r/sagel_mail/http://www.elvis.lycos.com/sweepstakes

################################ end inclusion
###########################################
_______________________________________________
Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure