Watch how fast the defensive shields go up:

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Another point that I bring to the table is that 'hackers' are quite advanced and knowledgable programmers. When was the last time you saw a 12 year old playing around with html hack a website. Hackers are great programmers with ill-guided morals. Take a feyd, multiple that by evil, and bam: expert hacker. If we look up to feyd for advice and training, why not look up to hackers. If there is anyone who knows the language, or the system, its the hacker who exploits it.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I disagree on this one. Developing and hacking (/analyzing) are two different skills. They intersect but one does not cause the other.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I think most people are mistaking crackers for hackers... (And the media don't do a good job making the distinction either).
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Todd_Z wrote:Hackers are great programmers with ill-guided morals.
I must completely be missing your issue here. What, on this forum, did you want to talk about that you can't already talk about? What about "ill-guided morals" did you want to be able to discuss?
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Todd_Z wrote:i think that a repository of common hacking practices, ranging from simple hacks, to mysql hacks, to server hacks, could be beneficial to a community like this.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

We can for sure collate some common vulnerabilities such as sniffing, email injection, SQL injection, global injection etc etc but I get the impression you're referring more to a HOW-TO on cracking?

We have a security forum and it's there for the obvious reasons. If we were to start doing step-by-step tutorials on cracking systems it doesn't exactly make us look good when people start abusing it now does it?

Asking somebody to "hack" into a system over the internet, even if the system is owned by you is actually illegal too for those who don't know.

I'm all for having a collection of articles on vulnerabilities and common exploits and how to secure against them. But not for having a set of HOW-TO's on breaking into systems.
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Not specific application instances, like "How do you hack into the collge grading system".... more like

"Why was wiki 1.2.1 - 1.2.3 able to give root control of the system to a user" - That kinda thing. We learn from mistakes, no? [btw-thats an example i randomly came up with]
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Discussing a disclosed exploit I assumed was allowable under the rules... The flip side is that discussion or mention of a non-disclosed vulnerability should be banned completely. It's impolite, and possibly grounds for a civil suit. Maybe the rule could be clarified, but it seems pretty straight forward what's allowable and not. If you want to discover and research exploits of past application versions there are dozens of public security reporting lists which list, categorise, and explain them with proof-of-concepts...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

When it comes to security, at least in these forums, I would feel more comfortable with:
'When you develop, you should do this to prevent that'
as opposed to:
'That causes this, which you should code to prevent'.
Again, I don't ever want to put this community (or the members of it) in a position to be named if/when someones site goes down as a result of something posted here, especially if it something that goes straight to the taking down of a site. But I have no problem with someone teaching others against known, published exploits.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

I would like to learn about this dark art for the mere knowledge of how to prevent it.
You might look into the Computer Security Institute (CSI), International Information Systems Security Certification Consortium (ISC2) and Information Systems Audit and Control Association (ISACA) for professional training. Those are just a few from my junk mail bin. Here's a good list of other professional orginizations not all strictly computer security though:

http://csrc.nist.gov/ATE/prof_development.html
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

I don't understand what all this fuss is about. We've discussed PHP security in the past (here's another example).
If there are security concerns you have regarding a script you wrote or that is sitting on your server: post the script and ask for advice.
If a new, critical security hole in any of the technologies we are discussing on this board is found, we'll post it here.

I don't know what more you want that you believe will make your script safer nor why.
User avatar
gkwhitworth
Forum Commoner
Posts: 85
Joined: Tue Sep 05, 2006 8:28 pm
Location: Wasilla, Alaska

Post by gkwhitworth »

Again, I don't ever want to put this community (or the members of it) in a position to be named if/when someones site goes down as a result of something posted here, especially if it something that goes straight to the taking down of a site. But I have no problem with someone teaching others against known, published exploits.
I completely agree...I am all for figuring out why someone was able to get into someone's server by viewing their code, but not by saying:
"You can get into someone's server by doing this, this, and this. Make sure to do this, to secure yourself from it."

Nice though everah.

--
Greg
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

volka wrote:I disagree on this one. Developing and hacking (/analyzing) are two different skills. They intersect but one does not cause the other.
I agree. Professional programming takes discipline, Project completion is a *very* difficult task.

Professional programming requires years of study & practice and experience.

A Hacker (herein called a cracker) is someone who studies and understands systems, usually experts at finding holes or discovering undocumented functionality.

Reverse engineering and re-engineering are very different skillsets.

Hacking doesn't require discipline it requires dedication and patience. Cracking requires the former, but intent on casuing harm.

Hacking and cracking are very different subjects IMHO.

Crackers use tools like brute force password gtenerators to discover weak passwords, hackers try to discover new methods of entering a system.

crackers steal passwords using tools provided to them...hackers capture your network traffic and notify you of your vulnerability...

There are big differences in being a professional hacker, cracker and software developer. You don't need to be a programmer to be a hacker or a cracker, but it helps.

Cheers :)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I always had the thought that a Hacker was merely someone who takes a proprietry piece of software and modifies it for their, or their employers/clients specific needs (legitimately) where as a Cracker is what the media refer to as a Hacker.

Hacker.. someone who hacks an app to pieces and rebuilds them to suit their requirements.

Cracker.. somone who makes their way "into" a system, either by finding existing cracks in the walls, or by making their own.

[/offtopic]

I too don't see the problem. And even though Todd_Z has stated he only has good intentions, this does come across as a "I wanna know how to hack" type post..

As patrikG pointed out - you can already post questions about any security flaw, existing or hypothetical .. so I don't see a need for this, or perhaps maybe a list of common flaws such as injection, xss, url corruption and so forth is what you seek?
User avatar
ambivalent
Forum Contributor
Posts: 173
Joined: Thu Apr 14, 2005 8:58 pm
Location: Toronto, ON

Post by ambivalent »

Jenk wrote:I always had the thought that a Hacker was merely someone who takes a proprietry piece of software and modifies it for their, or their employers/clients specific needs (legitimately) where as a Cracker is what the media refer to as a Hacker.
http://www.catb.org/~esr/faqs/hacker-howto.html#what_is

I think that's more or less the classic definition.
Post Reply