Page 2 of 2

Posted: Sun Sep 17, 2006 2:33 am
by Todd_Z
Another point that I bring to the table is that 'hackers' are quite advanced and knowledgable programmers. When was the last time you saw a 12 year old playing around with html hack a website. Hackers are great programmers with ill-guided morals. Take a feyd, multiple that by evil, and bam: expert hacker. If we look up to feyd for advice and training, why not look up to hackers. If there is anyone who knows the language, or the system, its the hacker who exploits it.

Posted: Sun Sep 17, 2006 3:34 am
by volka
I disagree on this one. Developing and hacking (/analyzing) are two different skills. They intersect but one does not cause the other.

Posted: Sun Sep 17, 2006 3:52 am
by timvw
I think most people are mistaking crackers for hackers... (And the media don't do a good job making the distinction either).

Posted: Sun Sep 17, 2006 5:11 am
by aaronhall
Todd_Z wrote:Hackers are great programmers with ill-guided morals.
I must completely be missing your issue here. What, on this forum, did you want to talk about that you can't already talk about? What about "ill-guided morals" did you want to be able to discuss?

Posted: Sun Sep 17, 2006 10:59 am
by Todd_Z
Todd_Z wrote:i think that a repository of common hacking practices, ranging from simple hacks, to mysql hacks, to server hacks, could be beneficial to a community like this.

Posted: Sun Sep 17, 2006 11:35 am
by Chris Corbyn
We can for sure collate some common vulnerabilities such as sniffing, email injection, SQL injection, global injection etc etc but I get the impression you're referring more to a HOW-TO on cracking?

We have a security forum and it's there for the obvious reasons. If we were to start doing step-by-step tutorials on cracking systems it doesn't exactly make us look good when people start abusing it now does it?

Asking somebody to "hack" into a system over the internet, even if the system is owned by you is actually illegal too for those who don't know.

I'm all for having a collection of articles on vulnerabilities and common exploits and how to secure against them. But not for having a set of HOW-TO's on breaking into systems.

Posted: Sun Sep 17, 2006 12:05 pm
by Todd_Z
Not specific application instances, like "How do you hack into the collge grading system".... more like

"Why was wiki 1.2.1 - 1.2.3 able to give root control of the system to a user" - That kinda thing. We learn from mistakes, no? [btw-thats an example i randomly came up with]

Posted: Sun Sep 17, 2006 4:26 pm
by Maugrim_The_Reaper
Discussing a disclosed exploit I assumed was allowable under the rules... The flip side is that discussion or mention of a non-disclosed vulnerability should be banned completely. It's impolite, and possibly grounds for a civil suit. Maybe the rule could be clarified, but it seems pretty straight forward what's allowable and not. If you want to discover and research exploits of past application versions there are dozens of public security reporting lists which list, categorise, and explain them with proof-of-concepts...

Posted: Mon Sep 18, 2006 12:15 pm
by RobertGonzalez
When it comes to security, at least in these forums, I would feel more comfortable with:
'When you develop, you should do this to prevent that'
as opposed to:
'That causes this, which you should code to prevent'.
Again, I don't ever want to put this community (or the members of it) in a position to be named if/when someones site goes down as a result of something posted here, especially if it something that goes straight to the taking down of a site. But I have no problem with someone teaching others against known, published exploits.

Posted: Mon Sep 18, 2006 5:46 pm
by Buddha443556
I would like to learn about this dark art for the mere knowledge of how to prevent it.
You might look into the Computer Security Institute (CSI), International Information Systems Security Certification Consortium (ISC2) and Information Systems Audit and Control Association (ISACA) for professional training. Those are just a few from my junk mail bin. Here's a good list of other professional orginizations not all strictly computer security though:

http://csrc.nist.gov/ATE/prof_development.html

Posted: Mon Sep 18, 2006 6:31 pm
by patrikG
I don't understand what all this fuss is about. We've discussed PHP security in the past (here's another example).
If there are security concerns you have regarding a script you wrote or that is sitting on your server: post the script and ask for advice.
If a new, critical security hole in any of the technologies we are discussing on this board is found, we'll post it here.

I don't know what more you want that you believe will make your script safer nor why.

Posted: Mon Sep 18, 2006 9:35 pm
by gkwhitworth
Again, I don't ever want to put this community (or the members of it) in a position to be named if/when someones site goes down as a result of something posted here, especially if it something that goes straight to the taking down of a site. But I have no problem with someone teaching others against known, published exploits.
I completely agree...I am all for figuring out why someone was able to get into someone's server by viewing their code, but not by saying:
"You can get into someone's server by doing this, this, and this. Make sure to do this, to secure yourself from it."

Nice though everah.

--
Greg

Posted: Mon Sep 18, 2006 9:50 pm
by alex.barylski
volka wrote:I disagree on this one. Developing and hacking (/analyzing) are two different skills. They intersect but one does not cause the other.
I agree. Professional programming takes discipline, Project completion is a *very* difficult task.

Professional programming requires years of study & practice and experience.

A Hacker (herein called a cracker) is someone who studies and understands systems, usually experts at finding holes or discovering undocumented functionality.

Reverse engineering and re-engineering are very different skillsets.

Hacking doesn't require discipline it requires dedication and patience. Cracking requires the former, but intent on casuing harm.

Hacking and cracking are very different subjects IMHO.

Crackers use tools like brute force password gtenerators to discover weak passwords, hackers try to discover new methods of entering a system.

crackers steal passwords using tools provided to them...hackers capture your network traffic and notify you of your vulnerability...

There are big differences in being a professional hacker, cracker and software developer. You don't need to be a programmer to be a hacker or a cracker, but it helps.

Cheers :)

Posted: Tue Sep 19, 2006 4:43 am
by Jenk
I always had the thought that a Hacker was merely someone who takes a proprietry piece of software and modifies it for their, or their employers/clients specific needs (legitimately) where as a Cracker is what the media refer to as a Hacker.

Hacker.. someone who hacks an app to pieces and rebuilds them to suit their requirements.

Cracker.. somone who makes their way "into" a system, either by finding existing cracks in the walls, or by making their own.

[/offtopic]

I too don't see the problem. And even though Todd_Z has stated he only has good intentions, this does come across as a "I wanna know how to hack" type post..

As patrikG pointed out - you can already post questions about any security flaw, existing or hypothetical .. so I don't see a need for this, or perhaps maybe a list of common flaws such as injection, xss, url corruption and so forth is what you seek?

Posted: Tue Sep 19, 2006 10:42 am
by ambivalent
Jenk wrote:I always had the thought that a Hacker was merely someone who takes a proprietry piece of software and modifies it for their, or their employers/clients specific needs (legitimately) where as a Cracker is what the media refer to as a Hacker.
http://www.catb.org/~esr/faqs/hacker-howto.html#what_is

I think that's more or less the classic definition.