[lalaithan]

Ethical hacking is my major. I support this idea, 100%. People should create programs with strong code that have no vulnerabilities for attacks.

[firebolt]

@no2pencil: hence, ethical hacking

[baavgai]

no2pencil, on 4 Apr, 2009 - 10:52 PM, said:

In my opinion there is no such thing as Ethical Hacking, so it should not be taught in schools.

You may be missing the point.

no2pencil, on 4 Apr, 2009 - 10:52 PM, said:

1.) You either build secure software or you write shitty code

A buffer overflow? Why should I care? No one would do that...

One I face at work constantly. Secured web page jumps to web page that has some field in the url like id=123. I ask if the second page is secured. The programmer says you can only get to the second page from the first, which is secure. I enter id=122 on the url and, bingo, data I shouldn't see. There's usually shock and back peddling. Who would do that? These aren't stupid people, they're just not in the habit of thinking like malicious people. In order to have a secure system, they have to be.

no2pencil, on 4 Apr, 2009 - 10:52 PM, said:

2.) There is no ethical hacking. You are either bypassing security or you are not.

You shouldn't be able to bypass security. In order to plug the holes, you have to know what to look for.

no2pencil, on 4 Apr, 2009 - 10:52 PM, said:

3.) A school should not teach how to bypass restrictions or security

Teaching how to prevent a bypass and how to explicitly do it needn't be the same thing. Still, the assertion stands. The reason programs are insecure is because programmers generally don't think like attackers. To be security conscious programmers, they must.

Such classes needn't be taught to anyone walking in the door, but a serious programming student should understand how such things work. Most martial arts schools don't teach the new guys weapons; they'll hurt themselves. But hang around a few years and out come the swords, if only to know how to react when facing such things.

[firebolt]

I just found out that "ethical" hacking is taught in my high school. Its taught in the IPT class (i think).

[Auzzie]

Hacking back when it first reared it's head in the IT community it was purely ethical then came a few people from the crime world that wanted to exploit them... Ethical hacking should be known by programmers just so when products can be better secured when it is released to the public.

[dsherohman]

no2pencil, on 5 Apr, 2009 - 04:52 AM, said:

2.) There is no ethical hacking. You are either bypassing security or you are not.

And if you are bypassing security on your own system or a system whose owner has explicitly authorized you to do so? How is that in any way unethical?

I would also say that implicit authorization is sufficient (e.g., if you're asked to do a general audit of the system or if you're doing development on it and notice a blatant security flaw in the code which the owner insists isn't really an issue), but I can see how reasonable people might disagree with that case.

no2pencil, on 5 Apr, 2009 - 04:52 AM, said:

I've always found that someone looking to secure their site (or software) is reading their logs & being proactive.

If you don't know what potential exploits may exist or how to watch for them, then how will you know what to log (or what to look for in the logs) to identify attacks/breaches?

no2pencil, on 5 Apr, 2009 - 04:52 AM, said:

Anyone that wants to learn how to be malicious asks about Ethical Hacking or how to secure their site that they usually have not even created yet.

Red herring. The most secure software results when it is designed from day 1 to be secure, which requires you to know how to secure it before you've created it. Bolting on security as an afterthought rarely, if ever, works as well.

[firebolt]

nicely said (owned)

[BigAnt]

Quote

I would also say that implicit authorization is sufficient (e.g., if you're asked to do a general audit of the system or if you're doing development on it and notice a blatant security flaw in the code which the owner insists isn't really an issue), but I can see how reasonable people might disagree with that case.

If you are asked to do a audit on security for the system and find a flaw that they insist is nothing, then simply ask if they know this then why did they hire you to do the audit?

Also if you are tasked with fixing the said security flaws and they insist on not fixing this problem because it doesn't really exist then you are better off telling them if they know so much fix it themselves and move on to a different client (this is assuming you do not work for them and are an outside contractor, because if you do not fix this problem then they will indeed blame you if anything happens and when you say that you said not to they will say you should have told me it was this big of a deal I thought it was nothing.

Or else just write in your original contract that you will be using any and all "ethical hacking" techniques to find security flaws and if they have a problem refer back to the contract.

[JonBernal]

I just have something simple about this,
I personally believe "Ethical Hacking" is
essential for good programming to be
done.

While reading this threat, i came across someone,
(too lazy to look back) saying that you either write
good secure programs or not. Well how are you
going to know its secure if you can't "test" it,
"ethical hacking" is essential to the testing process.

Just cause you want to learn about "Ethical Hacking"
does not mean you are a bad guy who wants to go
and hack around places, just cause you learn
martial arts, does not mean you want to kick every-
one's ass it just means you want to be able to protect
yourself.

In a nutshell, to protect yourself you NEED to know
how, and in which way you are going to be attacked.
You can't go to war without knowing your enemy.

This is a little something that came up to mind.
If you tell me there is gold in a room made of
concrete wall, and if i can get in is mine. I'm not
going to to say "crap no door, i guess i can't get it"
I'm going to keep trying, and if it takes TNT to
get into that room, I'm going to use it.
Same thing with security, just because it "breaks"
the law to get in, does not mean that the bad guys
are not going to try to get int anyways.

[dsherohman]

BigAnt, on 6 Apr, 2009 - 03:46 PM, said:

Quote

I would also say that implicit authorization is sufficient (e.g., if you're asked to do a general audit of the system or if you're doing development on it and notice a blatant security flaw in the code which the owner insists isn't really an issue), but I can see how reasonable people might disagree with that case.

If you are asked to do a audit on security for the system and find a flaw that they insist is nothing, then simply ask if they know this then why did they hire you to do the audit?

Agreed. In my "implicit authorization" comment, I was attempting to draw a distinction between security audits and general (i.e., non-security-focused) audits, so situations where you might be, say, auditing a financial subsystem to verify that it carries out transactions correctly and happen to notice that, although the results are correct, it's not secure. I would say that, in such a case, it would be ethically justifiable to demonstrate just why the security flaws do matter if the project owner says "it's not what we asked you to look for, so we don't care", but I expect there are others who would argue that, since you don't have explicit authorization to put the system's security to the test, it would be wrong to do so.

[no2pencil]

firebolt, on 6 Apr, 2009 - 04:52 AM, said:

nicely said (owned)

Owned?? ...are you 10? Are we playing Halo?

We've each given our sides, that's how a discussion works. But thanks. Thanks for being all adult about the entire thing

Now I'll just go back to being... uhm, well owned I suppose.

baavgai : I see your point, & I don't disagree. My opinion is that class in school teaching Security rather than Hacking is going to hold up much better in any professional manor. & I'll be the ass that stereo-types the students that are going to sign up. I wouldn't want to take a security class with some script kiddie sitting next me asking annoying questions the entire time. You throw "hacking" on a curriculum, & half the attendees that show up will want to reenact sword fish, "own" myspace accounts, or download mp3's. Teach security, not black hat in a white hat manor.

I suppose that's one way the school can make a profit. Lure the students in with terminology & key words, right? I saw a commercial for a local community college, I think the music was Prodigy, & there was a cast of three characters. Dressed & cast-typed to match the Matrix. They storm in through the front doors of some bank, or fancy offices, can't remember. The underlining message was "come to our school & enter the Matrix". What a joke.

[firebolt]

I am 10 (15)... and yes i play halo

what i was saying, the comments that you made were just ones own mind. people can disagree and most people did.

might i remind you that you ARE the expert at goofing off and i can only respect that.

btw... no hard feelings. full respect...

This post has been edited by firebolt: 08 April 2009 - 11:25 PM

[no2pencil]

firebolt, on 9 Apr, 2009 - 12:24 AM, said:

people can disagree and most people did.

I usually stand alone w/ my ideas. I'm used to it.

firebolt, on 9 Apr, 2009 - 12:24 AM, said:

might i remind you that you ARE the expert at goofing off and i can only respect that

win++

[prajayshetty]

can any one tell me where i can get some good tuitorials on ethical hacking i dont want to hack some one but ya i need to defend any tuitorials because hacking is becomming big big issue day by day.

This post has been edited by prajayshetty: 09 April 2009 - 08:22 AM

[firebolt]

@no2pencil:


RESPECT