Afraid of feeding the script kiddies...

Hi!

Recently i had a thread about security where i explained what "buffer overflows" are and how they work. I have a strange feeling about discussing that kind of stuff here as probably there is also script kiddies visiting this site and i don´t want to feed them.

On the other hand, this info is publicly available,eg. via google.com. I would like to hear other people´s oppinion on that. Should stuff like that (hacking, cracking) be discussed in depth here or not?

It´s a discussion that is widespread on the ´net and afaik there is just as many voters for as against it. But i have the feeling that most programmers are pro-publishing.

Also i am not sure about current law in the states where this site is hosted (as if the hosting did matter...). I don´t want Randy or anyone to get into trouble. afaik (german law) the hoster is responsible for what the users do write, but i could be wrong.

I bet there more admins/programmers here that will take advantage of this kind of information than script-kiddies.

What do you think?

Alright, I've re-written this many times in an attempt to get my feelings on the subject into words...

I am concerned about legal issues, not morality or technical issues, when someone comes here and finds information on exploits in programs or systems. Now, here's the thing:

Anyone using up2date or similar tools has constant access to ALL of this info. For example: I have cups and a TeX updates waiting on up2date that tell me about vulnerabilities in them. A quick search on Google, or a walk through Usenet or IRC will almost certainly give me detailed information on exploiting the vulnerabilities. Heck, I figured out the TeX 'exploit' (it's kind of wishy-washy) just from the info the summary of the advisory provided. However, logic and truth do NOT win court cases, as we all know. I doubt Randy, Zues, et. al. have the money to defend themselves from someone posting something stupid (e.g. posting a vulnerability for the first time on the forums rather than notifying the developers).

That brings me to another point: posting vulnerabilities in public before notifying honest developers is S.T.U.P.I.D. However, if the developers / company involved get a reputation for slowly patching problems, or outright ignoring them (can anyone spell "Microsoft"? Microsoft: S.T.U.P.I.D), then by all means, post away in public without telling them. This concerns me not.

Now, my final point: script kiddies. I hate them, you hate them, everyone hates them. But you have to admit, they make life as a developer more.... interesting. First: most of them are too stupid and technically deficient to understand the level of discussion this community could maintain. Second: those who are capable of understanding the discussions probably frequent more 'hardcore' security sites than Devshed.

As far as I'm concerned, there should be no reason NOT to discuss specifics of security here on DevShed. We are developers, and, IMHO, such discussions could help harden our systems. By disseminating the information more freely, we can separate the people who actually TRY to write quality code, and those that just bang out crap to make a few bucks. Good coders will benefit, poor coders will shrivel and die under the onslaught.

My personal feelings, for what they're worth.

Well, I chose number 3. Security should be discussed, but I don't believe in publicly posting exploits about peoples software. Of course, someone else would eventully. If a major catastrophy happens (ie: major corporate data-loss, identity theft, etc.)becuase of the posted exploit, I do not want that on my mind as I would feel guilty as s**t.

I would however private message/email users in this community that I know are legite and let them know about the problem in hopes that it could save them alot of trouble...

I have to agree with Joe on this one, if I were to stumble across a bug in PHP that could be exploited then I would first inform the PHP developers, then come to the forum and tell the people I trust around here via private messaging and perhaps, depending on how easy the exploit is to figure out, post a warning here of how not to fall into the exploit.

I dont think we should discuss how something can be exploited in depth unless it has been completely patched up and is no longer a threat.

My tuppence....

I would have to say #3 also. That is the closest to my feelings on the subject.
Discussing security issues (in depth or not) is always a good idea and it benefits all.
Exploits on a program I am 50/50 on because on both sides of the coin there are benefits.
1) If you open discuss a known exploit (key word here: known) it is helpfull to prevent such things in the future. Just as what M.Hirsh refered to on the buffer overflows. I am sure there are people here who do not really know what they are and discussing them and how to avoid them are good.
2) Posting exploits to a community before the application that it is intended for is only asking for script kiddies to do damage. This doesn't help the developer, it just causes him/her a lot of headaches before he/she can patch the application.

So, I am for it, as long as the program in question has been patched so that it can no longer be exploited. Yes, I know that given any typical exploit, if a cracker gets ahold of it and didn't already know about it, he will go about trying this exploit on different applications. But it will also benefit developers such that we could test our own systems with something we might not have thought of yet.

Remember when unicode came out? Or mssql sa/blank access? Or boom of xss a year ago? Everything script kiddies do does not need to be descussed in-depth. Which raises the question - how 'in depth' are we talking here? If someone posted some c code with problem and patch, odds are many people, and I mean many, wouldn't have a clue as to how to turn that into exploit. Both securiteam and securityfocus, in most cases, post code and discuss problems in depth, and yet they are not the main source of information for script kiddies. IMO, there's nothing wrong with some sample lines of c/perl/whatever to demonstrate problem in action.

I believe it should all be pulled out in the open as quick as possible. Of course first time sploits should be raised to the developers first, but any subsequent discussion is more than welcome here as far as I'm concerned. Afterall, the topic is very deep, very interesting and thoroughly educational - and hey - it's not as if we are offering root kits for download or anything...

hmmm praps we should have a 2600 forum lol!

christo

Seems like most people don't know the right definition of script kiddie. They use *EXISTING* tools that do all the dirty work. Like AlCapone said, most people are incapable of exploiting a flaw even if they are showed the raw and detailed facts. Otherwise we would call them hackers (and they know exactly where to hang out for the latest).

It's just that some of us are soooo good at coding that a given exploit seems easy to reproduce. Script kiddies are mostly point and click users, I woudn't worry about them.

Thanks for your replies so far. Happy that you mostly agree Randy (the admin) is going take part in this discussion at a later stage too.

Some info that i should have posted before: here is the thread that i was refering to:

[edit: removed non working link]
The C forum
[/edit]
as i have no idea how to remove the session ID from the new URL schema, the link might not work. The thread is called "static variables" and is in the "C" forum.

My other concern was the liability in this case as i am eg. following the dcma, kazaa and de-css court decisions which start to make me afraid to write anything anywhere...
The freedom of speech times seem to be over And do i need to get an anonymous remailer for my everyday-work now or what???

M. Hirsch -

You don't seem too far off

The "DVD-Jon" trial actually went pretty well. The prosecution is appealing the decisions (better to make an example or a martyr - which say ye?), but I somehow doubt that the outcome will be any different even if the appeal isn't thrown out. The judges decsision was too comprehensive.

Over here in the states though, things aren't looking so good. Verizon has to give up the name of the 600-download-a-day user who was (possibly) stealing mp3s on the web. Guilty until proven innocent I suppose...

DMCA issues aren't going much better. People are jumping to avoid prosecution because of that stupid 'safe harbor' provision (more guilty until proven innocent BS). Big companies are wielding it like a battle axe to cut down smaller rivals and even pesky customers who demad things such as the right to use their own property in whatever legal ways they want.

*le grand soupir* A government run by the rich, imperialist pigs, for the rich imperialist pigs. People like you and I simply can not afford justice... It seems like anymore the only thing that congresspersons are for is a cashier's window for rich special interests...

People need to be informed of security issues that have been found. They need to be made public ASAP so people can fix them If you dont care, fine, thats your choice. When security notices get issued I am checking right away if I am effected. If the word doesnt get out and a script kiddie finds out though then we are in the crap. Script kiddies dont realise what half the tools they use really do, that is what makes the little idiots dangerous. If its made public for all to know at least we can work on the issue before it becomes a problem.

I think riv is correct. Worrying about whether or not discussing vunerabilities encourages Script Kiddies is a fallacy. By definition, Script Kiddies do not understand what they are using (if they did, they would be crackers/hackers), so you could display a vunerability infront of them, and it would not help them.

I bel