Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

On not harboring crackers

by merlyn (Sage)
on Oct 04, 2002 at 21:52 UTC ( [id://202916]=note: print w/replies, xml ) Need Help??


in reply to Re: •Re: Re: •Re: pscanner.pl
in thread pscanner.pl

This node falls below the community's threshold of quality. You may see it by logging in.

Replies are listed 'Best First'.
Re: On not harboring crackers
by shotgunefx (Parson) on Oct 04, 2002 at 23:28 UTC
    While I have the utmost respect for your programming abilities and contributions to the Perl community (I have benefitted much myself), I must say that I find your people skills severely lacking. In your original reply to the poster, I could practically hear the disdain in your voice. "How do you post such sub par code!". It reminds of the South Park where Mr Garrison says "There are no stupid questions Kyle, just stupid people."

    There are certainly appropriate forums for discussing security weaknesses. (Bugtraq comes immediately to mind.) But these forums are set up specifically with discussing security in mind, and almost always, the discussion is amongst people who are experts in their respective areas, and are now discussing and sharing expertise in security.

    I disagree. Security is not an afterthought. Programming and Security are not mutually exclusive. It is not something tacked on to a program. I think it's discussion is appropriate everywhere people discuss programming.

    The message that triggered this thread was not written by either an expert in security or an expert in Perl. It's a Perl beginner program, whose purpose initially appeared to be to be nothing more than a junior cracking tool.

    No it's not a junior cracking tool. It's as beneficial to a white hat as a black hat. Plus "script kiddies" don't know what they are doing. That's why they are called "script kiddies". I sincerely doubt they are flocking to Perl when there are so many off the shelf tools. I doubt that this example is going to get used for nefarious purposes. There are many tools that do this and similar functionality (albeit much better). Not only are such tools not just for crackers, the SANS/FBI Top 20 List gives links to such tools and suggests using them.

    It does not contribute to the state of security. It does not contribute to the state of the art of Perl. it's merely a posting to further one's education. I applaud the latter goal, but the subject matter is questionable. Thus, I must object.

    I love how you say "It doesn't contribute anything..", It's not the first time I've heard you say it. For you it may not contribute anything, but I think it is incredibly egomaniacal of you to decide what has value for the Perlmonks community as a whole. Even the discussion of this and what better tools there are is beneficial. The whole point of Perlmonks is furthering programmers understanding of Perl & Programming. A huge portion of this is code submission and peer review. Should we not display proxy programs? As you know it can be used to circumvent network security.

    All we've done is make yet another variant of a cracking tool available to those who are looking over our shoulders. We do not need to provide more cracking tools. We can certainly discuss methods to detect and prevent such tools from abusing our systems, and that does indeed fit your quote. But simply spreading Yet Another Bad Way to Crack doesn't seem to be useful along any axis.

    How can one prevent something without knowledge of how the event your trying to prevent occurs?

    Furthermore, and more importantly, we cannot have the Monastery seem like it harbors people who experiment with cracking tools.

    I'll leave this one alone, too easy.

    If vroom chooses to harbor crackers, then I will ask the YAS/TPF board to disown the Monastery. You can't have it both ways.

    <struggles>Must... resist.. easy... shot. </struggles>

    -Lee

    "To be civilized is to deny one's nature."
Re: On not harboring crackers
by jordanh (Chaplain) on Oct 05, 2002 at 14:29 UTC

      I actually don't think that quote applies at all.

      There are certainly appropriate forums for discussing security weaknesses. (Bugtraq comes immediately to mind.)

    But, the quote is actually implicitly critical of "appropriate forums" in favor of widespread knowledge:

    "...A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks..."

    and later...

    "...and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties..."

    You go on to say...

      It does not contribute to the state of security. It does not contribute to the state of the art of Perl. it's merely a posting to further one's education. I applaud the latter goal, but the subject matter is questionable. Thus, I must object.

      All we've done is make yet another variant of a cracking tool available to those who are looking over our shoulders. We do not need to provide more cracking tools.

    Are you really arguing here that this program helps junior crackers at all? This hypothetical wannabe cracker who is looking over our shoulders would have to understand what port scanning is and how it could be used. Seems like this junior cracker you suppose would be so aided by this code would probably just look here first and immediately locate a tool that you identified as much better. If these junior crackers did know what port scanning was and it's uses, but didn't know where to find the best tools, you did far more to help them along in your response above than the posting of this example code could ever do.

      We can certainly discuss methods to detect and prevent such tools from abusing our systems, and that does indeed fit your quote.

    The quote refers, not once, to methods of preventing "rogues" from breaking the security of locks. The quote takes the stance that vulnerabilities in all types of locks should be widely known so that people will be educated and will take proper measures.

    This sample code shows how easy it is to embed, in just a few lines, a port scanner in any Perl program. That should be a sobering education to anyone who thinks they are safe from such attacks by implementing policies and mechanisms that exclude common port scanning tools from their networks.

      Furthermore, and more importantly, we cannot have the Monastery seem like it harbors people who experiment with cracking tools. We must take a stand, or it will undermine what I believe to be the purpose of the Monastery.

    I thought the purpose of the Monastery was education and community. You pointed out that this has educational value to the poster as an exercise. I don't see how supporting a culture of Security Through Obscurity is, in any way, in line with the purpose of the Monastery.

Re: On not harboring crackers
by defyance (Curate) on Oct 04, 2002 at 22:24 UTC
    You know damn well that a "cracker" or "script kiddie" would stick out in this crowd like a 9 foot tall sore thumb. Such a person wouldn't last 5 seconds.

    Why bring this up? Whats the point in this merlyn are you looking for some personal gain here, trying to pull rank cause someone called you out?

    Reap this if you will, but someone will read it, and understand where I'm coming from.

    I don't want those types posting malicious code here any more than the next guy, but talking about it like this is pointless, as the powers that be wouldn't let it fly, you know that.

    Thats MESSED up man. Chill Out..

    -- Can't never could do anything, so give me and inch, I'll make it a mile.

Re: On not harboring crackers
by blakem (Monsignor) on Oct 04, 2002 at 22:08 UTC
    If vroom chooses to harbor crackers, then I will ask the YAS/TPF board to disown the Monastery.
    Those are some pretty harsh words. Are they pragmatic or philosophical? Is it about the "purpose of the Monastery" or about avoiding the legal liabiltiy of nefarious posts?

    In other words, would you take such a strong stand if there were no legal implications for the Monastery?

    -Blake

    A reply falls below the community's threshold of quality. You may see it by logging in.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://202916]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (3)
As of 2024-03-19 07:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found