Instrumental in this message for me was this part:
There is no honour amongst hackers any more.
10-20 years back a term hacker had a close relation to a certain moral conduct emphasizing freedom of knowledge. Today with a mass market of startups, that was largely popularized by Hacker News, this perception has changed. A hacker now is a founder. He must be good at raising money, monetizing a product and the greatest feat of all - exit. There's no more moral obligations of the past. Launch at all cost - the rest is an afterthought.
There's a discrepancy between the two cultures. I think this divide is the source of the mailing-list problem and problems with freedom of information and privacy at large we have today.
I don't even know how to respond to the idea that teenagers breaking into phone switches and harassing people, buying Pantera CDs on stolen credit cards, stealing ESNs from other people's phones to make calls on someone else's bill, and rm'ing Unix boxes are somehow more honorable than adults running businesses.
The "hackers" FD's moderator is talking about are the ones I'm talking about. They aren't MIT students ordering sweet and sour bitter melon.
Bullshit. I haven't seen one supposed startup hacker put up a fight once the "grownups", investors, and lawyers start telling them they have to patent something.
It's curious how well your comment fits with the article this discussion is over, because I think that's the underlying problem. It's no longer about fundamentally "hacker" interests as much as it is about financial gain, influence, legalities, and gobs of other rubbish.
You're cherry picking the worst examples and it just sounds bitter. That isn't how most people were, and there are plenty of bad actors in industry that have done (and continue to do) far worse.
No, I mean, which "cool kids" are you referring to? I'm asking seriously. What exactly are you talking about? I'll respond in detail. I've been involved in vulnerability research since high school. And I'm guessing I'm significantly older than you are: I was already working professionally when the Lopatic overflow hit.
I'm weakly willing to bet that whoever you think the "cool kids" were actually sucked.
You're taking it too literally, I wasn't referring to anyone. I explained the point in my previous post.
If your comment reflects sincerely held beliefs that accurately represent the scene as it was, I think it's safe to say you were not a part of it. Your derision of that culture is either out of dishonesty or ignorance.
You're willing to accuse me of being dishonest or ignorant, so I think you should be willing to be specific about what you're talking about. Which cool kids are you referring to?
I don't know how to make it more clear that I wasn't actually referring to any specific "cool kids" and that my statement was not intended to be taken literally.
Claim: for any given period of the hacker scene, saying it largely amounted to nothing more than things like carding and harassment is false, and this statement would only be made by someone who either: (a) was not exposed, or exposed only to a poor sample, and therefore doesn't understand the culture (ignorance); or (b) was exposed, but intentionally wishes to misrepresent the situation (dishonesty)
So I guess the possibilities are either that your statement was ignorant, dishonest, or my claim is wrong and the hacker scene (during whatever time period you intended) was in fact nothing more than dishonorable carders and trolls.
If nothing else, you must know that rming a compromised unix box was not the norm.
No, I know you to be wrong about that. It's also worth remembering that many of the smartest people in the '90s hack scene came from the virus scene.
What I don't understand is how someone who was around in the 90s could manage to mythologize a bunch of teenagers using semicolons and pipe filters to pop shells on boxes and dump mail spools.
Here's the part where you tell me that you once knew a hacker who never rm'd a box. Why am I meant to care about that? There was zero correlation in the 90s between skill and care for other people's data.
Your opening comment was, "sounds like someone wasn't in the cool kids group". Now you've moved the goalposts; turns out you weren't talking about the "cool kids" at all. But it doesn't matter whether we're talking specifics or the broader issue of whether hackers were more or less moral in the 1990s: you're comprehensively wrong. Consider resetting the "tptacek is always full of shit" bit that is obviously stuck in your brain.
tptacek is exactly right. Not to put words in his mouth, but "nothing more than" is your characterization of what he said as opposed to what he actually said.
The history tptacek is describing goes back to the 1980s: use your favorite search engine to look for the name "Richard Sanzda" for a poignant example.
Do you understand why it's not valid to pick a single anecdote that aligns with your narrative and use it to draw conclusions about a large group of individuals?
I'm not mischaracterizing tptacek's comment. Nor am I suggesting that there were no bad actors.
tptacek said: "The "hackers" FD's moderator is talking about are the ones I'm talking about.", those being "teenagers breaking into phone switches and harassing people, buying Pantera CDs on stolen credit cards, stealing ESNs from other people's phones to make calls on someone else's bill, and rm'ing Unix boxes".
Obviously, this is not who the FD moderator was talking about, making tptacek's comment unfair.
Yes. This is true. I posted something similar circa 2009 about this sentiment. It used to bother me a lot but not anymore. A reply from pg on the different cultures:
pg 1678 days ago | link
Everything you've written would have been just as true in the 1980s, with a few of the names changed. Then too there were authentic hackers, glib fakers, and corporate drones.
The great majority of the computer world in the 1980s was profoundly unsubversive. The smart, subversive people were a tiny minority. They seem a larger proportion when you look back from 30 years later, because the fakers and PHBs had no lasting effects.
10 years from now, who is going to remember Marc Andreessen or Paul Graham? Besides some true hacker enthusiast ironically, who remembers Andressen's work on Netscape. In my original post in 2009, I mentioned the hot founder celebrities back then, Carol Bartz (fired), Seth Godin (pumping out more irrelevant books listed further down on Amazon) and Timothy Ferris (moved on from 4-hour "founding" to 4-hour body-building and cooking).
I think in the early nineties, when Linus Torvald first pushed out Linux on the listserv. We had OS/2 Warp and Windows 3.0 preview and Microsoft Bob. Borland, WordPerfect, Lotus 123 running on MS-DOS were the kings. Do you guys remember who founded or worked on those? The people who hack on stuff will always be there because money & fame didn't motivate them in the first place.
Paul Graham wrote "On Lisp." If ever a book was written by a true hacker, that one is it, and it will be read as long as there are programmable computers.
One day, Clojure is going to sweep the JVM world and all of the declarative folks are gonna read & weep and wonder how their lives were before USSR collapsed.
Here you are speaking about the two different meanings of hacker, security-hacker and startup-hacker. Yes, there is a big difference, and you described it.
But it's not the point.
Full-disclosure is all of security-hackers. And the sad thing is that there is no more honour amongst security-hackers. In the 90s they used to share 0-days. Today, well if you don't sell it you're a fool.
I'm so sad I missed that period, IRC, the lulz.
Don't confuse the hacker spirit with the hacker word.
That is the point. We should stop calling founders and businessmen hackers. A hacker is a person dedicated to technology and freedom. A silent hero, fighting everyday against against oppression, law and order. A person whose sole interest is keeping information free and accessible to everyone. Maybe he is not the best guy in socializing and communicating his interests and maybe some hackers are doing pranks and breaking your phone switches. But these are the people who are the front line the only ones who are willing to carry the fight for freedom and equality into the internet and against the people who are now calling themselves "Hackers". Businessmen, lawyers and founders all those people which interests are to make money and obey. YOU silicon valley guys aren't hackers anymore. you have become the mass you have sold your ambitions. I'm going to shed a tear now for all of you. Hacking is about rebellion hacking is keeping the internet free of scum like fascists and governments Hacking is the way of autonomous thinking. Hacking is keeping freedom in your heart and helping the oppressed. Hacking is so much more then "finding the best way to optimize your workflow"
I've been active in the infosec community for ~18 years, probably as one of its more prolific members at times - and similarly to Thomas, I'm not really sure I buy this argument. I don't want to cross-post the entire thing, but here are my thoughts in response to similar posts on /r/netsec:
I am totally confused by your comment. A "hacker" in the context of the Full Disclosure list is a completely different thing than what "hacker" means in the context of Hacker News.
It's at best trying to compare a painter that does portraits to a painter that paints automobiles. Both require skills, but in completely different areas.
>>> 10-20 years back a term hacker had a close relation to a certain morale conduct emphasizing freedom of knowledge.
Agreed.
There was a certain "code" people adhered to. Even groups like LOD wouldn't release exploits because they feared people would use them for nefarious purposes.
This is batshit revisionist bullshit. Anyone who close-held an exploit did so to keep the bug alive longer. People routinely burned exploits when they found their rivals using them, not by alerting vendors but by circulating exploit code on #hack
8/ Not sure what you're referring to here... Although gobbles is the only 'organized' (to use that term loosely) full disclosure group from that era that I remember off the cuff, plenty of people posted their (working) exploit code to even 'respectable' lists as bugtraq, not to mention people copy and pasting exploits to IRC the minute they had it working. Any I'm not even talking about joe schmoe's abandoned sourceforge project either - wuftpd had exploits posted and thousands of people got defaced in the hours/days after such a release, complete with defacing archives to keep score (yes I realize the exploit writers weren't usually the defacers).
In short, in the 1990's there were huge amounts of full disclosure, and even those trying to work with vendors were usually snubbed by those vendors. It was a completely different landscape.
Yeah but blackhats ala lod / h0no / el8 routinely released exploits that were leaked or stolen. They just hated full-disclosure with a passion as they saw it as too corporate.
It seems that one guy not only trolled the list but also he either created new identities for more trolling or managed to attract more trolls as bad as he. The guy also appears to deeply believe he's right.
It's still not fully clear to me if he is also the person thus described by the list maintainer:
"I always assumed that the turning
point would be a sweeping request for large-scale deletion of
information that some vendor or other had taken exception to.
I never imagined that request might come from a researcher within the
'community' itself (and I use that word loosely in modern times)."
Can someone from the security community explain exactly what the list is? Is it a mailing list where researchers disclose exploits that have been found (after doing their best to responsibly notify the developers of the effected systems)?
Snippets from the mailing list charter[0] and listinfo[1] which simply say briefly:
About Full-Disclosure
Unlike bugtraq, this list serves no one except the list members themselves
We don't believe in security by obscurity, and as far as we know, full
disclosure is the only way to ensure that everyone, not just the insiders
have access to the information we need to survive.
We will try to operate this list without moderation, as we feel moderation
is an impediment to communication.
Any information pertaining to vulnerabilities is acceptable, for instance
announcement and discussion thereof, exploit techniques and code, related
tools and papers, and other useful information.
and, forebodingly:
Politics should be avoided at all costs.
There's also the original announcement on the SuSE Linux security mailing list[2] and a follow-up by Mr Cartwright with some further rationale[3].
> We will try to operate this list without moderation, as we >feel moderation is an impediment to communication.
I feel like everyone wants to hate moderation but it's one of those things, that when used correctly, make a community good.
I'm on several mailing lists that have grown significantly over 3-7 years. I, along with most other founding members, left lists that didn't have any moderation as they inevitably grew into a community similar to what's described in this announcement.
But the mailing lists/forums that had moderate moderation, removing furry porn for example, have continued to grow and continue their initial cause. Good moderation is not censorship, I would even say that people disrupting the core purpose of a community censor more than a good moderator by burying worthwhile content below shit posts.
Given the list's modus operandi and goals, wouldn't it work well under a format such as the blockchain? No moderation and no chance to delete what's been posted, since the decentralization means it would by then be replicated across lots of machines.
You don't need the complexity of a unified ledger to have a distributed message passing system.
The ledger could provide some assurances that others have had access to a given set of messages, but that really only helps with the boring sort of arguments.
You need to pay BTC in order to store in the blockchain(i.e. you can't send 0.00BTC transaction to someone.) That should go pretty far in eliminating spam. Then again it might be too high a barrier for legitimate posters.
Full-Disclosure is a popular mailing list that is ostensibly about discussion of vulnerabilities (particularly new ones), but is often as not the security scene's version of 4chan. It was a sort of successor to Bugtraq.
Full disclosure is a lightly moderated security mailing
list generally used for discussion about information
security and disclosure of vulnerabilities. The list
was created on 9 July 2002 by Len Rose and is
administered by John Cartwright.
The wikipage goes on to list some notable zero-day vulnerabilities.
Yes (vulnerabilities rather than exploits, although these disclosures often contained proofs of concept.) It was the de facto standard vehicle for this.
No, it was the de facto standard mailing list for releasing vulnerabilities. Over the last 7 years it's gotten less and less relevant as a way of releasing vulnerabilities, because large public mailing lists are not a particularly effective way to publish vulnerabilities.
People seem to believe that happened because vulnerabilities started to obtain a market value, but:
* The serious high-end memory corruption vulnerabilities were (a) more common and (b) much simpler at FD's inception, making them more amenable to posting on a list; in 2014, a high-end vulnerability is likely to be complex enough to merit in-depth consideration on a blog instead.
* Table-stakes XSS vulnerabilities also tend to get written up in blogs (where they help establish a track record for researchers whose future employers aren't going to trawl through FD looking for them), and when they get bought, get bought by bug bounties. It is hard to argue that bug bounties are a bad thing; nobody benefits from a web vulnerability in a SaaS product other than the operator of the SaaS product.
Hehe, nope. It's the list where exploits and vulns are dropped, without getting into the circus and the money of responsible-coordinated-whatever. It's old style. It couldn't survive.
Hi, I'm posting this through Tor. The reason I'm able to do this is because this account is more than two weeks old. I also created this account through Tor, so HN's operators should have no idea who I am.
If you turn on "showdead" in your profile, you'll see that account has a bunch of dead comments. Those comments are dead because the "throughtor" account is less than two weeks old, so HN's system automatically kills them since they're posted through tor. Once two weeks elapse, you'll be able to post comments and they won't be struck down. (Two weeks is the time it takes for the "new account" status to wear off.)
This is a spam prevention technique, and it's necessary in order to drastically reduce the amount of work moderators have to do to filter spam.
So, anyone who wants to post anonymously on HN should open up Tor Browser and create an account right now, and save it for a rainy day sometime in the future.
Remember not to use the same password as your regular HN account, because you'll give your identity away if you do. In addition to the fact that there's nothing stopping any server from logging every password across every service, HN also stores passwords as unsalted SHA-1, so two identical passwords on two different HN accounts will be stored as the same hash in the database, making it trivial to detect your real identity.
At least, unsalted SHA-1 was the case as of arc3.1, which is now several years old. Kogir probably changed it to something more sane in the meantime. But I highly doubt anyone will be able to break into HN's server running BSD anyway, so the unsalted SHA-1 isn't really a concern. This is just a reminder that every piece of information you provide is a piece of information that can be used to determine your identity.
And if you use this information to create more work for HN's operators, then I will ssh into your macbook and scare the crap out of you in the middle of the night by setting your volume to 100% and using text-to-speech. But seriously, don't be lame. It's valuable that we are permitted any anonymity at all.
I floated the idea on bitcointalk.org of a fully anonymous distributed message board that used small bitcoin payments as the cost to post messages ... possibly softened by having a newbie/spam forum where "free" posts are possible but don't get much attention.
It didn't get much traction. (I can understand why bitcointalk.org is staying where they are. It was when theymos was openly asking what to do with all the donated BTC.)
I would, however, be happy to join a public github repo if there's serious interest.
Something like this? http://www.btcmessenger.com/?page=send just filter it for spam like we do with normal email, maybe an application anyone can run instead of a website that can be taken down.
Also, is there a provable way to generate a public bitcoin address without learning the private key? As a way to keep it fair.
I actually think Snowden's documents support a cautious optimism about Tor.
The techniques they detail all amount to an admission that Tor itself is still quite difficult for the NSA to de-anonymize at scale. They resort to exploits against browsers instead, which is far less scalable and far more risky.
According to Snowden, the NSA doesn't want to waste valuable vulnerabilities on low-value targets (since this risks discovery and disclosure, making the vulnerability useless in the future).
So they can't do mass surveillance of Tor, and can only de-anonymize targeted individuals under optimal conditions.
It's a double edged sword. The primary adversary on a site with anonymous posting isn't a government but the staff of the site itself (as demonstrated by the OP.)
What a shame; I just recently started taking on an interest in computer security and signed up for the list. In just the few weeks I was on there, I learned about a vulnerability in a device I had recently bought. I am cherishing the opportunity (which I haven't found time for yet) to walk through my first exploit!
As a newcomer I'm not really sure what John's referring to, though. Too bad...
I'll offer my take on his "industry that shouldn't have become an industry".
One of the biggest drivers of cash into information security hires is government regulation. Otherwise, a lot of these companies could give a shit if they lose private data.
Enter the information security specialist who has no fucking clue how to program or do anything remotely technical. They went out and got their CISSP cert, and now they provide a legal shield to the corporation or government office that hires them. Their very presence provides the security theater needed to protect their employer from being sued for not providing the necessary security.
If you are a CISSP on here, the fact that you're on this site means you are in the minority of your loser poser peers. You probably hate these posers as much as I do.
I think John's point was more wide-ranging. Even without regulation, the truth is that security has long become just another market, where vulnerabilities and skills are bought and sold for cash, like any other commodity. Security used to be an aspect of system administration; now it's just another rat race with all the trappings of commercialisation ("enterprise" products etc etc).
He doesn't disclose much information, but it looks a bit like he (sourly) blames the industry and community for something that is very common elsewhere too: to run a public forum or mailing list, you now need not only the users' support and goodwill, but also legal counsel, a thick skin and willingness to challenge legal threats, as well as all sorts of technical means to fend of malicious activities (DoS/spam protection etc.).
What's stopping such communities from going "underground", i.e. to some darknet where anonymity and protection from some of these hassles still exists?
> What's stopping such communities from going "underground", i.e. to some darknet where anonymity and protection from some of these hassles still exists?
Principle? The whole point of FD was for these discussions to happen in the open.
Why would you follow any mailing lists for security in 2014? The concept of a security mailing list predates Twitter, vulnerability databases, Reddit, and blogs. But we have all those things now, and they are all better than Full-Disclosure on its best days.
Yeah people keep telling me mail is dead, but its still kicking around and is very well alive. Let me edit my initial question to be email neutral though.
Secunia has a free Secunia Weekly Advisory Summary newsletter. You need to register for an account at https://secunia.com/community/profile/ and tick a box for a weekly summary IIRC.
But it's probably easier and more convenient to subscribe for announce mailiing lists for software you're using. Unless you can turn off affected services or scramble and patch before maintainers.
No substitute for email, but VuXML is an interesting, machine-readable, and therefore potentially extremely useful way of distributing security advisories:
First thing I saw in my inbox when I got to work this morning. Sad really, the list has certainly had it's moments.
Can't help but be a little optimistic, at least the "Google Vulnerability with PoC" youtube-upload trollfest chain of emails is done flooding my inbox this month :D
Some companies like to practice 'security by obscurity' to the fullest. They sometimes try to keep bugs from being disclosed by researchers using various means of ignore up to legal threats or other non disclosure contracts.
Often when things are at a really bad state its in the public interest to make sure these issues get fixed rather than brushed under the carpet. Hence it gets posted on various sec ML lists to ramp up pressure.
He didn't really explain the full problem so maybe I am not fully appreciating the situation here, but this seems like a pretty big overreaction for a stupid request from some a single user.
As someone who had to deal with legal troubles when running a user facing service I can say that it's not that easy if you don't have resources (or knowledge/time) to response correctly to the legal inquiries. For example, a relatively small (by internet standards) "local" forum has a somehow dedicated (it's not their full time job) 3 man legal team that answers all the legal inquiries.
If I add one of the latest in the series of my own experiences. Once upon a time someone wanted to scam me on a website deal. We figured out who it was (it was easy, he was the owner of the domain, paid for the hosting etc.) and published the details (we were not the first, he's quite a known scammer around here, we found numerous blogposts about him). He was even featured in a local newspaper.
Fast forward 5 or so years and I get a Cease and Desist letter from him (or something looking like that) that the information in my blog post is not accurate and he will sue me. I quickly see that google doesen't bring much about him nowadays, in part to people not caring for their blogs/doing redesigns and in part of him sending out "scary" letters. Of course I could fight it, I had a lot of concrete (I was told court grade by some lawyer acquaintances) proofs. But was it worth my time? My effort? My psych? No. I redacted the blog post and let it be. I don't feel good about it, because that means he will try to scam people that could'we been warned from my post. But I wagered it and left it all behind.
I cannot think of much that is more thoroughly soul-draining than fighting a legal action that is brought to you.
And, the better your case, the more soul-draining it is. I would imagine that it is easy to comply when one knows he is in the wrong. But, when one feels strongly about the cause and is advised that he has an excellent case, then capitulation feels like being bullied and extorted into compromising one's principles. This, even when it is frequently the most prudent thing to do.
So, one is left with the sad choice of either compromising his principles or fighting indefinitely at significant cost in time, money, and emotional energy.
Not sure if you've ever been involved in a suit, but the "first sign of conflict" is a critical juncture. Perhaps the most critical. And, in many cases, your decision is a function of simple math.
Once you proceed past the "first sign of conflict", you will quickly sink a lot of cash. You don't get a refund if you later decide to stop, nor any other credit. That money is gone and either you keep going until you a.) win (or lose) a protracted, costly battle; b.) bankrupt your cash, energy, or will; or c.) find an opportunity to settle and stop the bleeding. By then, the damage is done.
So, if you decide to proceed, then you are signing up for significant cost and a ride for which you have limited control. They will keep throwing stuff at you to entangle and frustrate you. If you take the suit as far as discovery, then you can get into the high 6-figure or even 7-figure range before you know it.
And, before you get to discovery, the motions, counter-motions, and other pleadings can easily get you to six figures within a few short months or less (depending on the complexity of the case).
If you are a small business, it can be a non-starter, especially when the plaintiff is a much larger (and hostile) company. I've been through it personally and I decided not to "capitulate at the first sign of conflict". I was pissed, they were wrong, I wouldn't be bullied, etc. So, I fought it.
We handily beat them back on the initial injunction they were seeking. Based on the merit, we knew we'd win that easily. Still, it cost me ~$20K to actually do it. It doesn't matter how weak their case is. They can make you bleed to prove it. The standard for having the suit labeled frivolous is extraordinarily high and you almost assuredly will not recover your legal fees.
We kept fighting, using some of the foundation (research, etc.) laid during the injunction battle to reduce costs. Still, by the time, we reached the mandatory (in the state of CA) settlement conference (where we decided to settle), we were out over $100K. So, that was the price of "not capitulating at the first sign of conflict". Of course, we didn't have to concede everything they initially demanded, but that small victory felt a bit Pyrrhic.
And, none of this cost includes the time, mental energy, and stress involved. If you are running a small business, you likely don't have time/energy for it. So, beyond literally bankrupting you, it can damage your business (perhaps irreparably) in other ways.
My strategy, if I can't talk people out of their legal threats and requests for content removal, is to replace the content with something like "Content removed at the request of [fullname]." I figure that anyone likely to have taken warning from the original content having find it on Google will potentially get the same from that notice. e.g., if they're asking for stuff to be removed, maybe there's something going on.
Source: I've run a public forum with anonymous posting for about 10 years and get regular legal/removal threats. Had four in one day the other week. None have ever proceeded beyond a threatening letter from a lawyer and most don't get past "I've printed this out and I'm taking it to my lawyer."
In the past I've given lots of information about requests to moderate or otherwise remove content from forums I run.
Then I was hit with a cease and desist, and again provided transparency of it. The very predictable Streisand effect kicked in, and then I was hit with a harassment case too (for disclosing the details even though I knew it would likely trigger Streisand).
It was all resolved quite peacefully, but one fire-fights these things reasonably over the years and get to learn that the other party is usually not being reasonable. You can either result in escalation, or you can calm things down.
It's a lot easier to pick the option that calms things down if it's available to you. And in case above, that was apocalyptic, to close the list without disclosing detail behind it.
The last straw really breaks the camels' back. Once broken, it's not getting up to fight on. Life is too short.
"I don't want to do this any more" is enough of an explanation to be honest.
Receiving legal threats (either real of vague promises of one), being accused of censorship and denying someone's right to freedom of speech (and having to explain that's not how free speech works), cleaning up spam and trying to sort out fights between users really wears you down after a while.
A lot of work goes on behind the scenes of running a 'community' and it can be stressful, draining and generally not fun.
You are free to try to step in to the gap created by the closure of this list and run a replacement service. I'm sure someone will.
There is no honour amongst hackers any more.
10-20 years back a term hacker had a close relation to a certain moral conduct emphasizing freedom of knowledge. Today with a mass market of startups, that was largely popularized by Hacker News, this perception has changed. A hacker now is a founder. He must be good at raising money, monetizing a product and the greatest feat of all - exit. There's no more moral obligations of the past. Launch at all cost - the rest is an afterthought.
There's a discrepancy between the two cultures. I think this divide is the source of the mailing-list problem and problems with freedom of information and privacy at large we have today.