mirror of https://github.com/fdiskyou/Zines.git
200 lines
10 KiB
Plaintext
200 lines
10 KiB
Plaintext
|
|
A PHC PRODUCTION: THE REAL SCRIPTKIDDIES
|
|
|
|
[Posted to the netsys.com 'full-disclosure' list.]
|
|
|
|
Does anyone find it strange that the talentless scriptkiddy Ron DuFresne is
|
|
banging on about "kids this" and "kids that"? I certainly do. This clueless
|
|
moron is in no position to speak down on or scold those he obviously knows
|
|
nothing about.
|
|
|
|
If you search google for his name, you can easily see the technically inept
|
|
scriptkiddy Ron DuFresne making a monkey out of himself:
|
|
|
|
http://www.google.com/search?q=%22Ron+DuFresne%22
|
|
|
|
This guy knows nothing beyond 1980's security policy construction and
|
|
point-and-click firewall operation. He makes many technical blunders in his
|
|
posts and displays an uncanny knack for sounding like a total dumbass.
|
|
|
|
For those out of the loop, the scriptkiddy Ron DuFresne was a former member
|
|
of the defacement group known as GForce Pakistan, albeit only for a month or
|
|
so at most. What's sad is that he has admitted this in the past, but
|
|
justifies it as some kind of adventure "for research purposes." He also
|
|
denies having defaced any websites. Still, makes you wonder, doesn't it?
|
|
|
|
I also see many other technically incompetent people/leeches on this list
|
|
who are making unqualified assertions that so-and-so are scriptkids, that
|
|
so-and-so don't know their stuff, that so-and-so are attention deprived...
|
|
|
|
If you can answer 'yes' to all of the questions below, then by all means
|
|
feel free to think of yourself as equal to or better than these ~el8 guys.
|
|
Otherwise, please stop speaking down to people who are obviously much more
|
|
technically skilled than your ignorance will ever allow you to be.
|
|
|
|
* Do you know how to program in C? Are you intimately familiar with ISO C89?
|
|
C99? While other people in your neighbourhood were out partying, were you
|
|
sitting at home in bed making an almost biblical study of the POSIX
|
|
standards? What about those from The Open Group?
|
|
|
|
* Do you know how to write hash tables? Balanced trees? Do you know the art
|
|
of algorithms? Do you know Knuth's work like the back of your hand? Did you
|
|
teach yourself everything about computers that one would otherwise only
|
|
learn by paying thousands of dollars for in Computer Science tuition?
|
|
|
|
* Do you know how to juggle assembly code in your head for multiple
|
|
architectures, such as MIPS, SPARC, x86? Do you understand the peculiarities
|
|
of each architecture down to the nittiest, grittiest details? Can you
|
|
optimize your own assembly routines? Can you take advantage of things such
|
|
as Pentium instruction pairing or the delay slots in various RISC
|
|
architectures? Do you understand the deal with the I-Cache on MIPS? Are you
|
|
fluent in assembly language? Hell, do you even know what SPARC stands for?
|
|
Quadrants in PA-RISC, make sense?
|
|
|
|
* Do you know how to write your own exploits? Do you know how to audit
|
|
software with surgical precision for the most intricate bugs imaginable? Do
|
|
you know how to take advantage of buffer overflows? Do you know how to
|
|
exploit off-by-one errors on a little-endian machine? Do you know about
|
|
integer overflows and signedness issues? Can you exploit format string
|
|
vulnerabilities? Can you gain control of a process vulnerable to a heap
|
|
overflow via a deep knowledge of the malloc implementation on the target
|
|
host? Do you know how to bypass the "security" afforded by crap like
|
|
Openwall, StackGuard, PaX? Or is your knowledge of these things limited to
|
|
the papers that non-hackers publish? You probably think the people trying to
|
|
help the security community with bullshit patches/fixes like this are
|
|
hackers, when in fact no hacker would ever publish any such thing that aims
|
|
to improve security.
|
|
|
|
* Have you studied the UNIX kernel with as much fervour as some would have
|
|
for physical pursuits such as basketball or baseball? Do you know the data
|
|
structures and organization in the kernels of various operating systems?
|
|
Have you read books on UNIX internals cover to cover? Do you know how Linux
|
|
works under the hood? Can you write your own kernel modules for both defense
|
|
and offense? Ever written a kld on FreeBSD? Can you write a device driver
|
|
for a peripheral that your OS doesn't support? Can you find flaws in kernel
|
|
src trees that allow you to compromise a machine given local access?
|
|
|
|
* What do you know about evading (N)IDS? Your knowledge isn't limited to
|
|
what Thomas Ptacek & Tim Newsham have said years ago, right? Surely you
|
|
don't rely on tools written by people like Dug Song who like to think of
|
|
themselves as hackers, when in fact they are traitors to the underground,
|
|
assuming they were ever a part of it to begin with.
|
|
|
|
* What do you know about defeating firewalls? What techniques have you
|
|
innovated and pioneered on your own? What tools have you written that allow
|
|
you to toy with firewalls? Hell, the fucktard security community is probably
|
|
limited to lameass crap like Firewalk.
|
|
|
|
* What do you know about web security? Do you sit back and laugh at the
|
|
"cross-site scripting" revolution governed by an idea that has been around
|
|
well before the CSS/XSS sensation that literally blew the dumbass security
|
|
community apart? Must've wasted a lot of brain cells with that gigantic
|
|
stretch of the imagination. Do you laugh at all these "SQL injection" papers
|
|
and how most of them overlook the blatantly obvious: they have you believe
|
|
you have to fumble around with all kinds of convoluted queries to achieve
|
|
something that can be done with minimal typing if only they'd read the
|
|
fucking documentation for various DBMS. Their CGI experts like RFP and
|
|
Zenomorph call certain script conditions non-exploitable, e.g. when you
|
|
can't get arguments supplied to a binary that you've managed to trick a Perl
|
|
script into running -- RFP mentions this in his Phrack article -- yet any
|
|
moron can easily figure out that you can use the POST method, make the
|
|
script run /usr/bin/perl for instance, and have it run a script of your
|
|
choice that is fed as stdin from the HTTP request's POST data. Oh God, sorry
|
|
for pushing the realm of web security forward with this INCREDIBLY COMPLEX
|
|
revelation.
|
|
|
|
* Have you written your own tools that exploit protocol weaknesses? Have you
|
|
written your own tools for routing protocol weaknesses, e.g. RIP, BGP? Have
|
|
you written your own tools that play games with DNS? Have you written your
|
|
own ARP cache poisoning / mitm tools? Your own tools for shit like icmp
|
|
redirects and router advertisements? Can you write a tool that will exploit
|
|
the TCP sequence number prediction + IP spoofing vulnerability of older
|
|
days? Or can you only mock Mitnick for his 1994 attack, calling him a
|
|
scriptkiddy? Or utter useless banter about ISNs and cookies that you
|
|
digested from some textfile? Who are you kidding? Fuck, have you read all 3
|
|
volumes of the glorious TCP/IP Illustrated, or can you just mumble some
|
|
useless crap about a 3-way handshake? Do you know Net/3 code? TCP
|
|
algorithms? TCP extensions? Perhaps you're some fucking security expert
|
|
because you've memorized /etc/services -- a walking fucking getservbyport, a
|
|
la 70% of the Vuln-Dev subscription base.
|
|
|
|
.....................................
|
|
|
|
I have seen the ~el8 guys cover the full spectrum of everything discussed
|
|
above. 95% of the people calling them scriptkids probably can't even code
|
|
helloworld.c.
|
|
|
|
Further ranting for those who are so quick to judge...
|
|
|
|
Are you just a fucking whitehat leech who knows nothing more than how to use
|
|
tools written by others? Using techniques and exploits that most likely
|
|
originated in the playground of blackhats known as the computer underground.
|
|
More likely than not you're a fucking scriptkid who only knows how to do
|
|
mundane and trivial crap like configuring ACLs on a Cisco router or some
|
|
half-assed product such as Firewall-1.
|
|
|
|
You likely are so ignorant that you believe anyone who compromises machines
|
|
is a clueless scriptkiddy like yourself. You likely are so idiotic that you
|
|
believe that Bugtraq and CERT will protect you from the latest 0day
|
|
exploits.
|
|
|
|
You think Apache 1.3.26 can't be compromised remotely with one of four two
|
|
year old Apache remotes that haven't even been hinted at on the security
|
|
lists. You think sendmail is (now) remotely secure because what you don't
|
|
see on Bugtraq doesn't exist. Qmail. ProFTPd. My God, you people are so
|
|
fucking out of it. People report intrusions on their machines and you
|
|
dumbfucks immediately conclude it's done by some public vulnerability, e.g.
|
|
OpenSSL. That's right, because in your ignorant bliss there are no skilled
|
|
people out there who would actually use their exploits to hack.
|
|
Narrow-minded fools. Scriptkiddies.
|
|
|
|
You know nothing of what lurks beneath the surface glamour of the corrupt
|
|
security industry/community. Your only resort is to call these people kids.
|
|
|
|
Trust me, they laugh at you clueless imbeciles. They laugh at your feeble
|
|
attempts to manipulate hacking so that it becomes some fucking ethical or
|
|
philanthropic pursuit. They laugh at your "hacker vs. cracker" debates. They
|
|
laugh at anyone who thinks hacking isn't about compromising computer
|
|
systems.
|
|
|
|
Who are the scriptkids now? You're outgunned and outclassed. Take a nap and
|
|
retire, you pathetic leeches.
|
|
|
|
The scriptkids like Ron DuFresne and Anodyne Perspective are likely going to
|
|
snap after reading this, so I'm sitting back looking forward to the imminent
|
|
outbursts from these scriptkids whose only rebuttals will be in the...
|
|
|
|
"I have my fingers in my ears, can't hear you kids NANANANANAN JAJAJAJAJAJA
|
|
itiththdsfhg grow up immature children, get a girlfriend HHSHee KkakakKAkka
|
|
pffffttt damn kiddies."
|
|
|
|
... range.
|
|
|
|
All "dox" dropped on the lists have been fake. They have been engineered by
|
|
people either making false assumptions or trying to get their "foes" in
|
|
trouble. Most of the phony ~el8 members lists mention people that have been
|
|
attacked by ~el8, ironically enough. Put one and one together. There is only
|
|
valid "info" for one of those poor souls, anywayz.
|
|
|
|
It's time for an underground revolution. You all quote The Mentor's
|
|
Manifesto in your misguided ethics rants; alas, The Mentor was an active
|
|
hacker, in the true, modern sense of the word. Stop being brainwashed ye
|
|
hackers. Keep your souls untarnished.
|
|
|
|
It's time to bring the corrupt security industry to its knees.
|
|
|
|
THE SECURITY INDUSTRY DEMOLISHED OUR WORLD.
|
|
|
|
THERE WILL NOW BE HELL TO PAY.
|
|
|
|
|
|
Offer up your best defense
|
|
But this is the end
|
|
This is the end of the innocence
|
|
|
|
|
|
|
|
|
|
|
|
|