In the profound words of David Schwartz: > > > Bullshit! There are PLENTY of "moral applications" for exploit > > code... > > Okay, what are they? Well, a handful were listed out below for you... > > Just to name a few: testing your own servers to see if they > > are vulnerable; > > That requires nothing malicious nor anything to exploit anything. That > simply requires detecting the presence of a vulnerability. Simply detection which doesn't rely on actually exploiting the vulnerability, is highly susceptible to failure... That's why good security scanners (eg: Nessus) don't rely on simple detection-based tactics (eg: banner/version checking), but rather actually attempt to exploit the vulnerability to determine if you are vulnerable or not... That's the only reliable method of doing so... Maliciousness is a totally different topic... Obviously it's not "malicious", if you're using it in a beneficial way; that's sort of self-evident, just from the definition of the word... And, as I said before, CODE can not be "malicious", any more than a hammer, knife, or gun is "malicious"... It can be USED for "malicious" purposes, however; or, the very same code can be used for benign, even helpful purposes... > > testing your servers after patching to verify the > > patch actually worked as advertized; > > That requires nothing malicious nor does anything need to be exploited. > Please state specifically what malicious or exploitative act is required. See above... Exploiting the vulnerability is necessary to ensure any level of accuracy... > > using the exploit in an authorized > > penetration test type of scenario; > > That's malicious? No, obviously not, nor are any of the other acts... I don't know why you have "malicious" on the brain, but I never mentioned the word ONCE! Maliciousness is an attribute of human beings, not of computer programs... > Arguably that does require the vulnerability to be > exploited. Yes, it definitely does... I don't know how you think it's "arguable"... Tell me how exactly you would penetrate a machine WITHOUT exploiting a vulnerability of some sort?? > > demonstrating to clueless higher > > management at your place of employment the need for applying that > > patch that they are so reluctant to do; > > That's no malicious, No kidding... > nor does that require the vulnerability to be > exploited. Yes, it does... The particularly clueless ones won't believe you if you just tell them; if you can't show them proof of how easy it is to break in, they don't see a danger... Don't think people this stupid don't exist, either... I've seen them... And, I know I can't be the only one... > In any event, the moral value of responding to irrational > requests or demands as if they were rational is questionable. Heh. Ok... If you don't consider increasing a company's security, despite the incompetence of upper management, of any "moral value", that's your call, I guess... But, I think many people would disagree... *shrug* > > studying the code for educational > > purposes, to learn how it works, possibly for the purpose of developing > > something to guard against it; etc... > > I said they have no moral _application_. Studying a gun is not an > application of a gun. In any event, the studied code need not be malicious > nor need it exploit anything. *shrug* THIS one is perhaps a "questionable" one... Whether or not you consider studying code an "application" of it, is just semantics... I can see both sides... > > There are many, many legitimate, > > "moral" uses for exploit code... Code is just like any other tool: > > it can be used for either good or bad purposes... It's not inherent > > in its design which you use it for... There is no "good" or "bad" > > code; only code... Plenty of so-called "good" programs have been > > used for very bad purposes... And, plenty of so-called "bad" programs > > have been used for very good purposes... > > I could not disagree more with this assertion. It's a great cop out -- 'I > only built it, I have no control over what people do with it'. But it's not > true at all. > > To cite a recent real-world example of this, there's a discussion on > alt.irc about operator invisibility, which is a piece of code. The only > purpose for operator invisibility is to intercept the communications of > third parties without their knowledge. It has no other application. I tend to think you overstate... I honestly have no knowledge about what you're speaking of, so I can't speak with authority... But, being a programmer, I find it next to impossible to believe that any program has ONLY ONE specific use, and CAN'T POSSIBLY be used for anything else... I'd need to see some proof to accept that one... Christ, you can even use "Hello, world!" in ways that it wasn't intended! > If you agree that it is immoral or unethical to intercept the communication > of third parties without their knowledge, then how can you escape the > conclusion that it is imorral or unethical to provide for use code that > provides only this functionality? Because, I don't believe that it does ONLY provide that functionality, for one... For another, the mere existence of the code does NOT intercept anyone's communication... It's not until someone uses it for that purpose that it becomes immoral/unethical... Even assuming this app truly ONLY could be used to intercept a third party's communication, I can think of an ethical use for it: intercepting a friend's communication (with their permission, of course), to point out to them that they aren't secure in whatever they're doing (IRC, presumably, you're talking about?); thereby, convincing them to either stop doing it, or to do something to make themselve secure... > Would you argue that it's okay to produce the perfect poison (quick, > undetectable, etcetera), an item clearly and inarguably optimized as an > effective silent killed, because you just make the perfect poison, you have > no idea or control over what it's going to be used for? Code does not equate to physical products... However... Yes, I would say it's fine to produce poison... In fact, companies do it every day! I'm not sure I see where whether or not it's "perfect" comes into play; show me a piece of code that's "perfect"... > No, humans make tools. They make them for a purpose and the purpose is > reflected in the design of the tool. In general, yes... But, the thing with tools is, they can be used for a wide variety of other purposes from that which they were designed for... (I just used a beer bottle to pound a tack into the wall... Are you telling me Belhaven breweries designed this bottle for that purpose??) -- ||========================================================================|| || Rob Seace || URL || rasat_private || || AKA: Agrajag || http://www.magrathea.com/~ras/ || robat_private || ||========================================================================|| "A dead telephone sanitizer?" "Best kind." "But what's he doing here?" "Not a lot." - The Restaurant at the End of the Universe
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 16:09:23 PDT