Page 1 of 2
Watch how fast the defensive shields go up:
Posted: Sat Sep 16, 2006 4:16 pm
by Todd_Z
I have noticed the trend that anything to do with hacking / exploiting gets no attention around here, and I feel like that is rather counterproductive.
How are programmers supposed to defend against hacking if we don't know how to do it ourselves. This sounds sketchy, but I feel like my code is very stable, I have yet to be hacked, with the exception of my news comments fields getting spammed, and my servers are pretty damn strong too. But, if a real big wig hacker tried to get into my stuff, I'm sure it would happen.
I would like to learn about this dark art for the mere knowledge of how to prevent it.
</rant>
Posted: Sat Sep 16, 2006 4:18 pm
by feyd
Well there's this whole rule thing:
The only thing we can legally offer is an analysis of your code. But you have to post it.
Posted: Sat Sep 16, 2006 5:02 pm
by Todd_Z
Rules are meant to be ammended.
Posting code doesn't do the trick, for two reasons.
1. Who wants to post code of their proprietary project.
2. Who wants to sift through a 20,000 line project and find vulnerabilities?
Posted: Sat Sep 16, 2006 5:07 pm
by feyd
Todd_Z wrote:Rules are meant to be ammended.
Riiiight.
Todd_Z wrote:Posting code doesn't do the trick, for two reasons.
1. Who wants to post code of their proprietary project.
That's between you and your decision to make it proprietary. If you want your code checked and not want it public, and you want to do it over this site, then you will have to contract someone. Simple enough.
Todd_Z wrote:2. Who wants to sift through a 20,000 line project and find vulnerabilities?
You know what they say about assuming things...
Posted: Sat Sep 16, 2006 5:25 pm
by Maugrim_The_Reaper
I have noticed the trend that anything to do with hacking / exploiting gets no attention around here, and I feel like that is rather counterproductive.
Maybe you could clarify what you mean by the above? Security has a dedicated forum which is in constant use. Actual hacking attempts are of course illegal for any number of reasons. Since doing so online is not possible, the only viable alternative is posting actual code or (if open source) requesting someone to lend a more hands on approach.
If you mean requesting advice on HOW to hack a PHP application (in a general non-application-specific sense) not sure where the rules stand. Knowledge of hacking skills is hardly illegal - it's essential for understanding security concerns afterall.
Posted: Sat Sep 16, 2006 5:32 pm
by Todd_Z
Basically, i think that a repository of common hacking practices, ranging from simple hacks, to mysql hacks, to server hacks, could be beneficial to a community like this. We have thousands of years of experience combined among the members of this forum, and harnessing that knowledge to teach n00bs and 1337s alike is a good thing.
Posted: Sat Sep 16, 2006 5:47 pm
by Ambush Commander
Security blogs are a good place to look. Example:
http://ha.ckers.org/
Really, most of these researchers are only interested in theoretical vulnerabilities, not how to actually exploit them. So a vuln may work in theory but not in practice and still be useful to you. Knowing how to hack and being able to hack are two different things.
Posted: Sat Sep 16, 2006 6:34 pm
by LiveFree
Actually I believe the phrase is "Rules are meant to be broken"
Posted: Sat Sep 16, 2006 6:38 pm
by AlecH
No actually, I would have to second Todd_Z, hes right and I really dont undesrstand why we cant discuss things such as exploits. I also agree with the fact that rules are meant to be ammended, but they are also meant to be broken. I'd say if you have a huge problem with that, then there are plenty of other places we can go besides here to discuss what we need to. It is vital that programmers are aware of internet security, so much so that governments are paying people to make there websites secure and paying millions of dollars to get the word out that web developers and programmers alike need to wake up and smell the coffee, this is a very serious issue and I find it appawling that you would shun such a thing.
Posted: Sat Sep 16, 2006 6:45 pm
by volka
This may be right, but most (if not all) of those questions here simply sound like "help me crack this thing".
Posted: Sat Sep 16, 2006 6:47 pm
by id
For web stuff,
http://sla.ckers.org
not that I am bias or anything.....
-id
Posted: Sat Sep 16, 2006 8:25 pm
by feyd
Last I checked we didn't bar theoretical discussion of such topics. However we will likely stop directly applicable discussion.
If the question comes across as "I want to hack into this" we may very well close the thread.
Posted: Sat Sep 16, 2006 11:16 pm
by RobertGonzalez
I think this is a borderline 'war' starting topic. On the one hand we should all be aware of potential hacks so we can code against them. On the other, none of us, myself included, want to be named when someone's site get womped and they say 'I heard a guy named Everah say it worked like this...'.
I recently ran into this same quandry, and posted a question of how a particular vulnerability might be exploited. The responses were outstanding. There was very little code posted, very little 'I want to break this' (although I did outright say that) and very little confrontation reagrding my intent over asking the question. Which may, to some extent, offer up a decent outlook as to why one would ask a question about hacking to start.
Here goes
Posted: Sat Sep 16, 2006 11:41 pm
by gkwhitworth
Well, security is always an issue and it is good to know how to defend yourself. I just ask, that if you do learn the techniques of hacking that you analyze yourself first and make sure that you are a disciplined person. For instance, if you don't know how to hack yet and you see a vulnerabily at a bank website or something, you would just call them up and let them know; but, if you know how to exploit these vulerabilites you are asking for extra temptations my friend, I always say, "Don't want to slip, don't go where it's slippery."
--
Greg
Posted: Sun Sep 17, 2006 1:35 am
by aaronhall
PHP's vulnerabilities are covered thoroughly in the
manual. Discussing vulnerabilities is not promotion of illegal activities. Hacking, as you refer to it, is taking advantage of those vulnerabilities -- what about it did you want to talk about?