Watch how fast the defensive shields go up:

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Watch how fast the defensive shields go up:

Post by Todd_Z »

I have noticed the trend that anything to do with hacking / exploiting gets no attention around here, and I feel like that is rather counterproductive.

How are programmers supposed to defend against hacking if we don't know how to do it ourselves. This sounds sketchy, but I feel like my code is very stable, I have yet to be hacked, with the exception of my news comments fields getting spammed, and my servers are pretty damn strong too. But, if a real big wig hacker tried to get into my stuff, I'm sure it would happen.

I would like to learn about this dark art for the mere knowledge of how to prevent it.

</rant>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Well there's this whole rule thing:
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.2 wrote:10. Warez, copyright violation, or promotion of any other illegal activity may NOT be linked or expressed or posted in any form.
The only thing we can legally offer is an analysis of your code. But you have to post it.
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Rules are meant to be ammended.

Posting code doesn't do the trick, for two reasons.

1. Who wants to post code of their proprietary project.
2. Who wants to sift through a 20,000 line project and find vulnerabilities?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Todd_Z wrote:Rules are meant to be ammended.
Riiiight. :roll:
Todd_Z wrote:Posting code doesn't do the trick, for two reasons.

1. Who wants to post code of their proprietary project.
That's between you and your decision to make it proprietary. If you want your code checked and not want it public, and you want to do it over this site, then you will have to contract someone. Simple enough.
Todd_Z wrote:2. Who wants to sift through a 20,000 line project and find vulnerabilities?
You know what they say about assuming things...
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I have noticed the trend that anything to do with hacking / exploiting gets no attention around here, and I feel like that is rather counterproductive.
Maybe you could clarify what you mean by the above? Security has a dedicated forum which is in constant use. Actual hacking attempts are of course illegal for any number of reasons. Since doing so online is not possible, the only viable alternative is posting actual code or (if open source) requesting someone to lend a more hands on approach.

If you mean requesting advice on HOW to hack a PHP application (in a general non-application-specific sense) not sure where the rules stand. Knowledge of hacking skills is hardly illegal - it's essential for understanding security concerns afterall.
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Basically, i think that a repository of common hacking practices, ranging from simple hacks, to mysql hacks, to server hacks, could be beneficial to a community like this. We have thousands of years of experience combined among the members of this forum, and harnessing that knowledge to teach n00bs and 1337s alike is a good thing.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Security blogs are a good place to look. Example: http://ha.ckers.org/

Really, most of these researchers are only interested in theoretical vulnerabilities, not how to actually exploit them. So a vuln may work in theory but not in practice and still be useful to you. Knowing how to hack and being able to hack are two different things.
LiveFree
Forum Contributor
Posts: 258
Joined: Tue Dec 06, 2005 5:34 pm
Location: W-Town

Post by LiveFree »

Actually I believe the phrase is "Rules are meant to be broken"
AlecH
Forum Commoner
Posts: 27
Joined: Fri Feb 24, 2006 4:22 pm
Location: New Hampshire

Post by AlecH »

No actually, I would have to second Todd_Z, hes right and I really dont undesrstand why we cant discuss things such as exploits. I also agree with the fact that rules are meant to be ammended, but they are also meant to be broken. I'd say if you have a huge problem with that, then there are plenty of other places we can go besides here to discuss what we need to. It is vital that programmers are aware of internet security, so much so that governments are paying people to make there websites secure and paying millions of dollars to get the word out that web developers and programmers alike need to wake up and smell the coffee, this is a very serious issue and I find it appawling that you would shun such a thing.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

This may be right, but most (if not all) of those questions here simply sound like "help me crack this thing".
id
Forum Newbie
Posts: 1
Joined: Sat Sep 16, 2006 6:45 pm

Post by id »

For web stuff, http://sla.ckers.org

not that I am bias or anything.....

-id
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Last I checked we didn't bar theoretical discussion of such topics. However we will likely stop directly applicable discussion.

If the question comes across as "I want to hack into this" we may very well close the thread.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think this is a borderline 'war' starting topic. On the one hand we should all be aware of potential hacks so we can code against them. On the other, none of us, myself included, want to be named when someone's site get womped and they say 'I heard a guy named Everah say it worked like this...'.

I recently ran into this same quandry, and posted a question of how a particular vulnerability might be exploited. The responses were outstanding. There was very little code posted, very little 'I want to break this' (although I did outright say that) and very little confrontation reagrding my intent over asking the question. Which may, to some extent, offer up a decent outlook as to why one would ask a question about hacking to start.
User avatar
gkwhitworth
Forum Commoner
Posts: 85
Joined: Tue Sep 05, 2006 8:28 pm
Location: Wasilla, Alaska

Here goes

Post by gkwhitworth »

Well, security is always an issue and it is good to know how to defend yourself. I just ask, that if you do learn the techniques of hacking that you analyze yourself first and make sure that you are a disciplined person. For instance, if you don't know how to hack yet and you see a vulnerabily at a bank website or something, you would just call them up and let them know; but, if you know how to exploit these vulerabilites you are asking for extra temptations my friend, I always say, "Don't want to slip, don't go where it's slippery."

--
Greg
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

PHP's vulnerabilities are covered thoroughly in the manual. Discussing vulnerabilities is not promotion of illegal activities. Hacking, as you refer to it, is taking advantage of those vulnerabilities -- what about it did you want to talk about?
Post Reply