Re: Lun_mountd.c vs mounty.c

["Gregory A. Gilliss" <ggilliss () netpublishing com>]

Okay, here's the scenario:  a hacker/cracker exploits a vulnerability (I'll
leave it to others to debate "who was first") and then that person
gives/shares that code with other hacker/crackers and one of *them* posts
the slightly modified 'sploit code and takes credit for the hack. 

What's wrong with this picture?

First, the ethics/morality of hacking/cracking ... I'm going to take a 
pass on this one because of where the discussion is ... Full Disclosure.
If people want to argue the merits and morals of hacking, I think that
there are better fora for those discussions than here.

Second, sharing the code.  Well, the Hacker Ethic says "Information
should be free" (or "All information should be free" - Levy, Steven,
Hackers). So, for the sake of argument, sharing is a good thing.  Now
*who* you share it with may be the problem, since it appears that at
least one of the recipients (or someone that they passed it on to) has 
less than stellar scruples.

Then there is the point about disclosure. I'm going to take another pass
here for the same reason as my first point - no preaching to the choir.

Another issue is the somewhat less obvious "are they not able to got[sic]
there own skills" issue. To that I will respond no, most people that I
run into either (a) cannot program, (b) can program and are too busy/lazy
to write their own code, and (c) can program but would just as soon use
someone else's work as take the time to write their own. In fairness, I
also know people (many of whom are subscribers to FD)  who (a) can code, 
(b) write sploits, and (c) don't give a hoot if someone else uses what
they wrote (because they're already onto the next project by then anyway).

There's a bit of a conflict here - if you share something and you don't 
want other people to use/abuse it, you either have to (a) not share it, 
or (b) be more discriminating about the people with whom you share it.

Personally I wonder why the author of the 'sploit didn't just post it
immediately (or after they were done with it)? If you find a vulnerability
and you want to use it for your own purposes, maybe sharing it is not a 
good idea. If not, post it and let everyone play.

Here's what *I* would like to see:

(1) hacker/cracker finds vulnerability and writes 'sploit code.
(2) developer then tests 'sploit on every possible variant of target
    that they have access to, and verifies what's vulnerable and what 
    is not vulnerable. Alternately, developer does minimal testing and
    then releases the code asking for help testing.
(3) developer posts 'sploit code to Full Disclosure with detailed
    explanation and appropriate posturing ;-)
(4) Full Disclosure reviews/discusses/patches as necessary

Of course, I would also like to see competent honest people run for 
political office <sigh>

G


On or about 2003.09.17 15:41:11 +0000, Tobias Klein (tobias.klein () ewetel de) said:

> frew min ago i was browsing packetstorm and i cant belive my eyes
> anyone has changed a half haeder of my code and disclosures it to 
> packetstorm
>
> i cant understand why pplz does that
> are they not able to got there own skills
> i have investigate many hours to write this code and it should never 
> released
> but some sucker leaked it and some other gay changes the half haeder and
> disclosures it
>
> attached is the ORGINAL EXPLOIT code i wrote months ago

<SNIP> 

-- 
Gregory A. Gilliss                                    Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg () gilliss com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html