[ Posted to the full-disclosure mailing list ] On Fri, 22 Nov 2002 11:46:38 -0800 "Schmehl, Paul L" wrote: >I received one response (so far) to my request to explain how "black >hats" would propose I keep my network secure. I would appreciate >it if >responses could at least be cc'd to the list so they can be discussed >openly. Just a few things before the reply to your post: 1. To 'Jesus': we're interested in hearing your ideas on appropriate action plans for 'underdog' victory. Feel free to email us. 2. el8@hushmail.com: word tells us this is not ~el8. It smells of Danny Dilber (stringz) making a comeback. If this is true, diestringz2.txt can be rolled out at any time. ~el8 make all their announcements, etc. in their ezine, and anything else outside of the ezine is more than likely an attempt to discredit or misrepresent their views. 3. Stripey, you speak of the "PHC new bloods" when you have no knowledge of how long any of us have been online for. Based on how recently you started selling bugs to Snosoft, it's very likely that you're the one who's Only Been Around For A Few Years. You made an important point about the media sensationalizing stories of 'hackers' and whatnot, but you defended the security industry. Based on what we've witnessed over the last decade, the media AND the security industry waltz side by side to reciprocate the generation of sensationalism that keeps both in business... in the security arena. They are the Yin and Yang of hype. Paul, Your network will never be secure. People seem to think Attack Windows -- a term coined by the same class of people who brought you the Nop Sled (tm) -- exist between public vulnerability disclosure and public patch release. This is untrue; Attack Windows exist from public vulnerability disclosure right back into the long forgotten past. Example: if in 2010 a vulnerability is publicly disclosed in a widely used program that has been used for 20 years, then every box on the planet using that program has been at risk for 20 years, and not merely the week or so between public announcement and public fix. In retrospect, the security industry accomplished nothing in 20 years, except stuffing their pockets with cash and generating a false sense of security. Insecurity will be perpetual. As democow said, blackhats will always be able to compromise you. Scriptkids will not be able to compromise you if you always manage to win the scriptkid-admin race that occurs when a new bug is disclosed on a security mailing list. However, not all admins will be so lucky. The security industry in this manner has increased not only the number of attackers exponentially, but the threat to the Internet at large. This is a cycle that can stop, but it won't happen while the security industry can make money on it. They need figures and statistics to market their flimsy products. They need visible threats to justify their existence. They need widespread defacements and system compromises. In the SecurityFocus article, _Full disclosure is a necessary evil_, Elias Levy agrees that full disclosure brings more short-term insecurity than non-disclosure does. So it's not only the 'blackhats' who see this. However, Levy qualifies this short-term insecurity as a "necessary evil" to effect long-term security. Just HOW long-term is a matter of conjecture, but based on the security industry's own tenet that "no software, system, or network can be totally secure," we don't ever see the final destination being reached by the security industry. Instead, we see them as the purveyors of lies and broken promises who will never be able to deliver what they're paid for. This holds true even for the 5% of 'programmer-phrack-magazine-esque' security professionals Who Have A Clue. The crazy thing is that it's their inability to deliver the goods that keeps them in business. While they rake in large amounts of cash and fail miserably at their self-appointed task, their failures succeed in convincing the gullible that they're still needed. There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we remember this thread because it was probably the only educated thread ever to appear on Vuln-Dev, not to mention a brilliant battle of wits between Lcamtuf-the-Brain and Mixter-the-Fucking-Narc) that brought the identification of security holes in software under the light of elementary discrete mathematics. This added to the tenet mentioned above. We mention this to reiterate what we said in Sermon #2 about all disciplines of study being applicable in some way, however slight, to the problem we seek to change. See, even a math nerd can help us. In summary, the security industry is reaping large sums of money for doing absolutely nothing for Internet security. Along with the media, and (now) the Government (capital G this time since we have learned since our previous sermon that there really is only one government in the world, namely that one run by Octopus Dubya Bush With His Tentacles Up The Asses Of Every Puppet PM And Puppet Prez In The World), the security industry is responsible for all the legislation that has been brought in that not only will affect 'hackers'... but every LOL'ing, OMG'ing person on the Internet. We can churn out sermon after sermon, but it will do little good if nobody gives a damn. We're not fools to believe all this talk will do anything great. If you see what we are fighting for, then PLEASE contribute Stuff to the cause, where Stuff can be textfiles, graphics, old AntiSec posts, ideas, constructive criticism, whatever. And if you call anything that moves a "scriptkid" or a "lamer," for fuck's sake, do not bother replying to this. Dear #phrack: STOP FUCKING BEING LAZY. THIS IS NOT A MATINEE PUT ON BY #PHRACK OPS. PROJECT MAYHEM IS DOOMED IF YOU ALL JUST SIT THERE BEING HANDSOME. CONTRIBUTE SHIT. STOP CHATTING ABOUT IRRELEVANT POLITICS. STOP CHATTING ABOUT SPINLOCKS, SEMAPHORES, WEB SCANNERS, OPTIMIZATION, AND OTHER CRAP. GET SERIOUS. GET MOTIVATED. LISTEN TO SOME ANTHONY ROBBINS. AWAKEN THE GIANT WITHIN. GET SOME NLP HAPPENING. WORK ON YOUR AFFIRMATIONS. PSYCHE YOURSELVES UP. GIVE EACH OTHER A PEP TALK. LET'S LEAD PROJECT MAYHEM TO VICTORY. PHC Sermon #3 http://phrack.efnet.ru | http://phrack.ru "Join us to teach and learn." > >My request still stands. Any takers? > >Paul Schmehl (pauls@utdallas.edu) >TCS Department Coordinator >The University of Texas at Dallas >AVIEN Founding Member >http://www.utdallas.edu/~pauls/ >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >