crazylazy.info

txt

Diving turtle - a wonderful animal in the darkest depths of the oceans. Turns out deep diving hackers in the oceans of knowledge aren't as wonderful?

In fact people, even complaining about disclosure... who are these idiots? In today's world you can get rich by selling exploits. Thinking about money, the debate goes on: just disclosure in CoreImpact or Nessus? Not in MetaSploit any more?

A just question. In fact making exploit-code freely available doesn't make everyone able to use it. There's stuff to know about: coding, operating system specifics, advanced kernel architectures - in short knowhow. And there only very few individuals who have this knowledge. You find 10 or 12 of these in a 300 000 citizen town I guess. IT Security is a scientific art that only very few people really know about. It's not this tinkering associated Hacking. In general people consider Hackers being able to crack into computer systems remotely. But that's not true. Maybe 20% of the so called Hackers are interested in specific IT security. You don't need to believe me, but most Hackers are _constructive_; programmers or so, who like to tinker with this mechanical abstraction you call digital technology.
Tinkering Hackers, who love computer systems, like to break them? Believe it or not: they don't like that. In fact most Hackers I know invest "millions of hours" in their beloved stuff and are bloody nosy about every detail they can get.

This kind of infinite nosiness drives an IT security researcher too: but it's paranoia, constructive tinkering with security specifics: with network semantics, with physical security stuff, cryptography, with complex electronics and digital circuits... Knowing there's a danger you don't understand makes you explore the deepest digital spheres of a computer system. Those undocumented parts, where creativity causes unexpected behavior. Those parts, where the RFCs are sloppy, where the risk is - and where normal engineers fear to go. That's digital dark magic. But somehow it turns out that "hexing" around there, and developing witchcraft like a conjurer isn't so magical at all: it's easy, when the darkness turns into light. Like a small cat with gloomy eyes in sunshine, that looked like a Panther in the dark. Unmasked.

Those opened boxes are small in content, smaller than you expect. But they cause an enormous amount of trouble: business uses immature technology, adapts it into deepest organization and control: SCADA.

When I hear SCADA I associate catastrophes. Kevin Finisterre recently released a SCADA attack into MetaSploit. Guess what: somebody believes now the "Teenage Mutant Ninja Turtle"-Script-Kids crack into a SCADA system and cause trouble. But hell no! Don't fix this. Costs money. Forbid disclosure to save the money, forbid the people to think, to dive, to explore... and everything stays as it is?

Keep the business going: first lecture of professional IT security. Don't affect productivity. Don't cause trouble. Don't go there. Don't do this... oh yeahr.
- Sure! But believe it or not: there's a reason why you are working. And it's definitely not fixing the stuff. That's what the Administrator who knows the environment does.

Desautels said he stands by the decision.

First the exploit will motivate people to patch by giving them a way to test their systems against the vulnerability, he said. Second, it will encourage SCADA software developers to write more secure code.

"I think releasing the exploit code was actually necessary," he said. "He's actually doing a free service. I would believe Kevin has actually reduced risk."

Rich Mogull says:

"If you told me you're releasing an exploit tool a couple of months after an IE patch comes out, I wouldn't say the same thing," Mogull said. "SCADA guys do not update their stuff. There are huge problems in SCADA. I cannot overemphasize...the disconnect we see between the SCADA community and the security community."

You're there to make these people update their stuff. These guys are no Standard-Joe users. They create risks. And they don't even know! You are there to argue with these people, and if it comes to that: to make them fear the security problems. That's your job if they forget that!