Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Fierce Scanner Evaluation
Posted by: fragge
Date: March 27, 2008 07:48PM

Here's a funny eval of your scanner by some guy whom chose to remain anonymous. Love perl scripters, theyre 1337 and conform to 1337 5t4nd4rd5:

-[0x05] # RSnake is RJoke, and IceShaman isn't much better ---------------

#!/usr/bin/perl

#########################################
# Fierce v0.9.9 - Beta 03/24/2007
# By RSnake http://ha.ckers.org/fierce/
# Threading and additions by IceShaman
#########################################

# Finally, something with some length to it.. let's do this...

use strict; # Nice, but no warnings?
use Net::hostent;
use Net::DNS;
use IO::Socket;
use Socket;
use Getopt::Long; # props.

# command line options
my $class_c;
my $delay = 0;
my $dns;
my $dns_file;
my $dns_server;
my @dns_servers;
my $filename;
my $full_output;
my $help;
my $http_connect;
my $nopattern;
my $range;
my $search;
my $suppress;
my $tcp_timeout;
my $threads;
my $traverse;
my $version;
my $wide;
my $wordlist;
# You know that my() can take a comma seperated list of arguments, right?


my @common_cnames;
my $count_hostnames = 0;
my @domain_ns;
my $h;
my @ip_and_hostname;
my $logging;
my %options = ();
my $res = Net::DNS::Resolver->new;
my $search_found;
my %subnets;
my %tested_names;
my $this_ip;
my $version_num = 'Version 0.9.9 - Beta 03/24/2007';
my $webservers = 0;
my $wildcard_dns;
my @wildcards;
my @zone;

my $count;
my %known_ips;
my %known_names;
my @output;
my @thread;
my $thread_support;
# Wow, nice load of variables there.

# Way to embrace the concept of lexical variables by having 40 of them be
global

$count = 0; # Why not set it to zero when you declare it?

# ignore all errors while trying to load up thead stuff
BEGIN {
$SIG{__DIE__} = sub { };
$SIG{__WARN__} = sub { };
}

# try and load thread modules, if it works import their functions
BEGIN {
eval {
require threads;
require threads::shared;
require Thread::Queue;
$thread_support = 1;
};
if ($@) { # got errors, no ithreads :(
# awww... what a shame... there's always 505threads though
$thread_support = 0;
} else { #safe to haul in the threadding functions
import threads;
import threads::shared;
import Thread::Queue;
}
}

# turn errors back on
BEGIN {
$SIG{__DIE__} = 'DEFAULT';
$SIG{__WARN__} = 'DEFAULT';
}

# OK really, why did you need three BEGIN blocks?
# Why not just use() them in the eval, because you catch failure
# anyways?
# Do you think your signal catching is actually useful here?
# We will see more confusion as we go

my $result = GetOptions (
'dns=s' => \$dns,
'file=s' => \$filename,
'suppress' => \$suppress,
'help' => \$help,
'connect=s' => \$http_connect,
'range=s' => \$range,
'wide' => \$wide,
'delay=i' => \$delay,
'dnsfile=s' => \$dns_file,
'dnsserver=s' => \$dns_server,
'version' => \$version,
'search=s' => \$search,
'wordlist=s' => \$wordlist,
'fulloutput' => \$full_output,
'nopattern' => \$nopattern,
'tcptimeout=i' => \$tcp_timeout,
'traverse=i' => \$traverse,
'threads=i' => \$threads,
);

help() if $help; # excellent oneliner there
quit_early($version_num) if $version;

if (!$dns && !$range) { # Try 'not' and 'and'
output("You have to use the -dns switch with a domain after it.");
quit_early("Type: perl fierce.pl -h for help");
} elsif ($dns && $dns !~ /[a-z\d.-]\.[a-z]*/i) { # you want + not *
output("\n\tUhm, no. \"$dns\" is gimp. A bad domain can mess up your
day.");
quit_early("\tTry again.");
}

if ($filename && $filename ne '') {
# If it has a value and if it's not equal to '' eh?
# Does anyone else see the redundancy there?
# If it passes the first condition, it will ALWAYS pass the second
#
$logging = 1;
if (-e $filename) { # file exists
print "File already exists, do you want to overwrite it? [Y|N] ";
chomp(my $overwrite = <STDIN>);
if ($overwrite eq 'y' || $overwrite eq 'Y') {
open FILE, '>', $filename
or quit_early("Having trouble opening $filename anyway");
# nice. a 3 arg open and a good use of an 'or' !
} else { # Your paren style sucks.
quit_early('Okay, giving up');
}
} else {
open FILE, '>', $filename
or quit_early("Having trouble opening $filename");
} # man you could have made this cleaner, could have just done a
# quit_early for a n/N and then open otherwise
output('Now logging to ' . $filename);
}

if ($http_connect) {
unless (-e $http_connect) {
open (HEADERS, "$http_connect") # Why'd you quote the scalar here, but
# not above? And don't you know about
# the security risks of using open()
# like this
or quit_early("Having trouble opening $http_connect");
close HEADERS; # uh... open... and close... Are you just testing that
# you can? -r for that
}
}

# if user doesn't provide a number, they both end up at 0
quit_early('Your delay tag must be a positive integer')
if ($delay && $delay != 0 && $delay !~ /^\d*$/); # Try 'and' instead of
'&&'. Also, lose the parens.
# You still don't understand how this works: if the first condition
# passes, the second ALWAYS will.
# what you probably think is happening is this:
# if ( defined $delay && $delay != 0 && $delay !~ /^\d*$/)
# But it isn't. You're just a noob.

quit_early('Your thread tag must be a positive integer')
if ($threads && $threads != 0 && $threads !~ /^\d*$/);

# isn't if ($threads and not $thread_support) pretty smooth to read?
# smooth like silk
if ($threads && !$thread_support) {
quit_early('Perl is not configured to support ithreads');
}

if ($dns_file) {
open (DNSFILE, '<', $dns_file)
or quit_early("Can't open $dns_file");
for (<DNSFILE>) {
chomp;
push @dns_servers, $_; # yucky sucky
}
if (@dns_servers) {
output("Using DNS servers from $dns_file");
} else {
output("DNS file $dns_file is empty, using default options");
}
}

# OK these guys are just too lame to profile much more of their code
# We're gonna cut almost all of it out and just point out a few especially
# funny parts

# lol how about $tcp_timeout ||= 10;
# or $res->tcp_timeout($tcp_timeout || 10 );
if ($tcp_timeout) {
$res->tcp_timeout($tcp_timeout);
} else {
$res->tcp_timeout(10);
}

# lawl someone meant > 255! Someone did not test his shitty code!
quit_early('The -t flag must contain an integer 0-255') if $traverse <
255;

# This line here makes those or's look kinda dumb, huh?
$wordlist = $wordlist || 'hosts.txt';
if (-e $wordlist) {
# user provided or default
open (WORDLIST, '<', $wordlist) or
open (WORDLIST, '<', 'hosts.txt') or
quit_early("Can't open $wordlist or the default wordlist");


# how about just ++ it? 0 + 1 = 1
if ( $subnets{"$bytes[0].$bytes[1].$bytes[2]"} ) {
$subnets{"$bytes[0].$bytes[1].$bytes[2]"}++;
} else {
$subnets{"$bytes[0].$bytes[1].$bytes[2]"} = 1;
}
}

# wasted variables, didn't check if the regex matched, used * instead of +
if ($wide) {
($lowest, $highest) = (0, 255);
} else { # user provided range
if ($octet[3] =~ /(\d*)-(\d*)/) {
($lowest, $highest) = ($1, $2);
quit_early("Your range doesn't make sense, try again")
}

# WHAT COMPLEX FEATURES YOU LACK
#TODO: add port selection and range support
my $socket = new IO::Socket::INET (
PeerAddr => "$ip_and_hostname[0]",
PeerPort => 'http(80)',
Timeout => 10,
Proto => 'tcp',
)


# It's just all very silly and stupid. To think that these guys wrote this up,
# didn't clean it, didn't even test it, and then released it to the world like
# it was big shit and they were bigger. kids, just keep your shitty code to
# yourself. Or send it to us for PU+ certification.

# RSnake needs to stick to his nice easy PHP world, where he can be a god
# among retards. Same for IceShaman and HTS. Neither can play with grown-ups.

----------------------------------------------------------------------------------

Source: http://www.packetstormsecurity.nl/mag/perlunderground/perl-underground5.txt



Edited 2 time(s). Last edit at 03/27/2008 07:55PM by fragge.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: March 27, 2008 08:09PM

EDIT: nm, didn't notice the link

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 03/27/2008 08:11PM by tx.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: Malkav
Date: March 28, 2008 05:58AM

perl underground tend to think they're 1337 c0d3rz. i still wait to see real code by them. all in all, every single remark made here was of the type 'man you suck by making code readable"

a very "grown up" attitude eh ?

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: Gareth Heyes
Date: March 28, 2008 07:34AM

<html>

<head>
<!-- Charset? You do know about UTF-7, don't you? 13375 -->
<title>.:[ packet storm ]:. - http://packetstormsecurity.org/</title>
<!-- You do know search engines don't use meta tags anymore, don't you? -->
<meta name="description" content="Information and computer security full disclosure web site">
<meta name="keywords" content="computer security, exploits, advisories">
<link rel="stylesheet" href="/images/p.css" type="text/css" />	
<!-- Nice to know you are using 1.2, when did you write this 1998? -->
<script language="JavaScript1.2" type="text/javascript" src="/images/iefix.js"></script>
       
<body border="0" topmargin="0" leftmargin="0" rightmargin="0" marginwidth="0" marginheight="0">

<!-- You do know that topmarigin etc is way old, don't you? Is it that long since you updated the HTML? -->

I could go on...

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: id
Date: March 28, 2008 10:24AM

They are free to re-write it all they want, it was a quick hack that does what we needed, so who cares?

-id

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: thrill
Date: March 28, 2008 11:44AM

It is so easy to criticize other people's work, the hard part is beating them to their own inventions/discoveries. I'm sure he will write the next best thing since sliced bread using nothing but 3 lines of perl, but until then, shut the fuck up and take the garbage out as your mommy told you to do half hour ago.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: IceShaman
Date: March 28, 2008 10:28PM

I kind of like these guys, I mean how else would we find these things in code without their help?

I kid, these kids are effectively a manual and less accurate version of Perl-Critic, with the rules set to "the one true style".

Whereas they do make some good points, I feel I have to respond with: "I only added threading and lazily ran code through tidy and changed some stuff around, it's not my code and over my dead body am I redoing it all". I mean sheesh, guy can't add one feature without getting flamed for not overhauling and testing the whole app, fuck that.

May I also point out that while they pedantically analysed everything line for line, they failed to notice that the threading code has an off by one in thread creation. Hell, I don't even care enough to fix it, but you'd think that sort of logical error would be a nicer find than "omfg you did not put all your variables in a big long ugly list, holy crap!!1one".

Guess they look at code, but don't read it ;)



Edited 1 time(s). Last edit at 03/28/2008 10:38PM by IceShaman.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: March 29, 2008 02:44AM

@IceShaman: lol :)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: fragge
Date: March 30, 2008 04:39PM

"NO LEXICAL VARIABLES, DIE HEATHEN"

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: rsnake
Date: April 06, 2008 01:52PM

I heavily debated not responding to this at all because it's really pretty ridiculous, but I figured it deserved at least a cursory review.

My overall opinion? It was pretty lame. I've never heard of him before and probably for a reason, his comments are pretty pathetic. So this came out of left field for me. He seems to have a bone to pick with me - but I have no idea who he is. I've never been a fan of anonymous sucker punches. I get them a lot on the blog and in email and now I guess in e-zine format. Whenever I get that kind of crap it just shows that the person is afraid of what people would actually say/do to them if they knew who they were. In his case probably because he knows that he's actually clueless about security and that he'd get his ass handed to him by pretty much any decent security expert if he went public. I on the other hand am just about as public as it gets.

Anyway, onto the specifics. I love his "security" hole. "So wait, if I have access to the shell to run this program I could exploit this to get access to the SHELL!??!?!?!?!?1one!?!? That's such a security hole!@#$!!!" Hrm... this adds fuel to my theory that he's not much of security guru. That's the same thing as hitting control-c. The _only_ way that could turn into an actual hole is if someone wrote some terrible web-based interface around fierce and didn't bother to secure that from injection. That's something you learn when you actually know something about security and not just Perl syntax.

As to his fixes, there were a few (and I do mean a few) small changes that I agree with, given that this code was never designed with beauty in mind, but most of his changes I totally disagree with (all his style comments for instance as they would make them ugly and unreadable) and the -w flag? Most people I know who write code for a living only turn that on while debugging. Once you put it into production why would you keep it turned on? He's not too bright, even in the area he claims to be an expert. Sad.

The reason why everything is in global scope is because the program evolved heavily from a single function into a pretty huge script that is fairly complex, with edits from multiple people. That actually has zero bearing on its functionality in any way that is meaningful, so he's basically being picky for zero net usefulness, because changing the scope from global to local doesn't change how the code works - at all. Not to mention there are dozens of missing features that have been slowly added and will continue to be added with future revisions, so cleaning it up now doesn't make a lot of sense since it's getting a complete re-write anyway (been planned for months).

It would have been nice if he had actually debugged a current version too. The version he looked at was from more than a year ago. Way to look at your revision history there! I sincerely hope it didn't take him a year to write those comments, or he really does need to find something he's good at - because this isn't it. Most of his actual valid comments aren't even issues anymore, given that that code was beta (even labeled as such). Leet. But again, it's getting a much needed re-write to add in a lot of functionality that we want in it for future versions.

He reminds me of some of the first Perl programmers I ever worked with. They knew their syntax but not much else, I schooled them on security regularly. I will admit, I am far from the best Perl programmer in the world, but that's not even vaguely my interest. Perl, while great for prototyping, and for writing quick tools like Fierce, is going the way of the dodo. Most of the old school hackers know it, so it'll probably stick around for a while because of things like Metasploit etc... but beyond that, it's a declining user base compared to .Net, Java, and PHP. Being great at FoxPro syntax makes you a bad ass too, I suppose, but it's not worth much anymore.

And I'm saying all of this while still being a huge Perl fan for it's ease and flexibility to write quick and intentionally sloppy code that will still function, unlike most other languages (ironically one of the few true virtues of Perl which he clearly doesn't embrace). Why do I like writing quick sloppy code? Because I don't have a year to debug a small program, like apparently he does. Again, sad. If he wants to write highly structured and well organized and punishing code, he should go to C++. Perl is not the language for him.

None of his comments surprise me, except for perhaps the lack of certain comments which I was expecting him to say at some point as I read through it. He didn't even comment on the actual obvious structural problems in the code. It doesn't use Perldoc but instead a lame print statement that was supposed to be temporary, it isn't object oriented, it doesn't have XML support, it doesn't have a way to easily enumerate and a bazillion other actual problems that are worth talking about (all of which are being planned). So yes, he's right, but he's also short sighted.

Even his comments elsewhere in his other zines are mundane or just plain stupid. Like this one on one of str0ke's programs:

my $i=1;
# ever heard of for loops? we have them for this!
# there was this kid in a beginner's c++ class I once taught
# he only used do-while loops, because he was afraid of for loop syntax
# and while was just too straight forward for him
# are you that kid? is for just too complex for you?
# moron
# for my $i ( 1 .. 51 )
while($i < 51){
print ".";
my $thr = new Thread \&exploit, $serv, $port, $time;
$i++;
}

Uhm... why is he assigning variables he does not need? $i is not necessary, and even if it was he could use $_. Also, I cannot believe he screwed up str0ke's code and made it 51 threads instead of 50. He's guilty of the same dumb code he flogs other people for. Alas, arrogant and wrong. How about:

for (0 .. 49) { my $thr = new Thread \&exploit, $serv, $port, $time; }

or easier to read:

for (1 .. 50) { my $thr = new Thread \&exploit, $serv, $port, $time; }

Arrogance does not make you good, it just makes you a loser when you're wrong.

The very sad part of this is that even _I_ found more problems in my own code than he did and I would never claim to be a Perl expert in a million years. Ouch! I'm not particularly impressed or interested in much of what he said, to be honest. I guess some people just weren't cut out for security, which requires more than a book on Perl to master. $his_guru_status--;

- RSnake
Gotta love it. http://ha.ckers.org



Edited 5 time(s). Last edit at 04/06/2008 03:01PM by rsnake.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: April 12, 2008 03:26PM

From FD: http://seclists.org/fulldisclosure/2008/Apr/0260.html

Quote

This is Perl Underground here. We thought we could respond to a
couple
kids, cause there ain't nothin' like dissin' on FD. Part of this
rant
is just in general, and might end up in Perl Underground 6. So it's
to
be considered BETA, and thus criticism is UNACCEPTABLE!!!

Just kidding.

RSnake and his talentless fanboys would like to diss Perl
Underground in
any way he can to mend any damage to his image. He likens us to Perl
programmers he has schooled on security topics. This may mend his
ego, but
does not reflect accurately on the people of Perl Underground nor
does it
help understand the Perl issues we brought forth. RS wants to give
the
impression that he is an incredibly talented individual (a "Web
application security god") who has, without reason, been maliciously
targetted for a year by Perl programmers who must be untalented,
otherwise
they would be public. Nevermind that we critiqued many others, or
that we
connect readers with more positive information than poor code.
Nope, we
must be all about RSnake jealously.

IceShamen claims we "pedantically analysed everything line for
line" while
RS states "I don't have a year to debug a small program, like
apparently
he does".

A contributor spends maybe twenty minutes going over code of this
size. We
stated explicably in past zines that we are merciful and only
discuss the
occasional issue. Until you actually learn Perl, RSnake, it's
hardly worth
our time to teach you Perl OOP or proper documentation technique
(what you
call "Perldoc" is generally called "POD", by the way, but
whatever). We do
not intend to fix your code. Instead we simply offer the occasional
suggestion to make you think. You two are responsible for your own
code,
it isn't our fault there are so many issues that we can only
discuss (and
notice, for that matter) a certain amount in a given publication
size.

"and the -w flag? Most people I know who write code for a living
only turn
that on while debugging. Once you put it into production why would
you
keep it turned on?"

I bet the people you know who write code for a living are shit with
Perl
too. The warnings pragma (*not* just the -w flag, there are slight
differences in practice but that's getting beyond you and offtopic)
is
highly useful in debugging AND in released code. Why? Because it
catches
runtime problems, fuckhead. There might be no warnings in your last
set of
tests, but different data can provoke them and reveal errors in
your code.
Lots of serious professional Perl programmers INSIST on warnings
being on.
On the other side of your argument, strict is compile-time, so why
the
fuck would you leave it in if you had the impression that even
warnings
was of no further use to you? strict is much less likely to make a
difference to you if it passes in general, which is ironic given
your
position on warnings. Again, in practice Perl coders leave strict
in to
save time maintaining (instead of setting it again for every patch)
and as
a clear sign that the code is strict-safe and the author strict-
aware,
reasons that apply to warnings as well. The actual performance hit
of
either is unnoticable, certainly not a bottleneck in your program.

"[...] changing the scope from global to local doesn't change how
the code
works - at all. Not to mention there are dozens of missing features
that
have been slowly added and will continue to be added with future
revisions,
so cleaning it up now doesn't make a lot of sense since it's
getting a
complete re-write anyway"

Isn't that smart? Let's leave it as a total mess because we're just
going
to add more to it and make it a further mess? How about you get
your code
under control and maintain it. Or are you just too used to writing
little
piece of shit programs, that you do not have the organizational
skills to
manage a slightly-larger little piece of shit program with multiple
contributors? How about you exclusively use file-scoped variables
in C
programs, because various shitheads aren't smart enough to design
procedural code and you cannot figure out how to responsibly
organize it?
That probably sounds ridiculous, but that's the argument that
RSnake is
making.

We saw both the beta and the 1.0, and both times thought the code
sucked.
You labelled 1.0 as a "production ready DNS enumeration tool".
Maybe we
just have higher standards than you for production-ready. Frankly,
your
code is shit, regardless of which version we criticize. You can hide
behind the fact that we wrote about 0.9.9 instead of 1.0, but only
so much
changed. It's still shit, so is 1.0.3.

Hardly anything has changed in the meantime, and it is no less
enlightened.
Almost everything shitty ("style") complaint, like, uh:

if ($filename && $filename ne '') {

are still around. Mostly it has just been moved around. Fresh shit
has been
added. Consider these two consecutive lines:

$domain =~ s/\.$//g;
my $inet = inet_aton("$domain");

Not cool RSnake, not cool.

We are a collection of individuals who come together under an
understanding. This understanding is that most programmers write
code that
is less than mediocre, and that concrete steps need to be taken to
increase our standards at all levels. This is virtuous for both
artistic
and pratical reasons. Some do this in peaceful ways (and even we
do, too,
through other avenues), while we felt a need for more vocal
protests. Many
self-described security gods calmly discuss how better computer
education
is needed for average users to increase their security. We discuss
how
better education is needed for the pure mass of programmers,
including
those with blogs and fanboys, to increase the stability of our
software
infrastructure in both the short and long term. Every time a piece
of bad
software is distributed it damages this longterm goal for all of
us. We do
not expect perfect code (we certainly do not write perfect code),
but we
do expect basic research and at least mediocrity before
distribution.

We have a strong commitment to quality Perl code and doing our part
to
support the production and release of the best Perl possible.
That's why
if you release something, you better be able to take a bit of heat.
We let
a lot of code go that would not pass a basic code review at any
respectable establishment, and instead we stick to noticably loud or
shitty code.

You wrote and published bad code, RS. Just as you can be rewarded
for
writing a moderately useful tool, you can be criticized for
defecating on
our art.

We are anonymous because we have no need not to be. Being anonymous
leaves
our articles up for review publicly, instead of just providing
names for
you to attack ad hominem, although you tried anyways. Perl
Underground is
not about improving our programming careers. It is not about making
a name
for ourselves in security communities. It is not about having
fanboys. It
is not about having a blog, forum, or advertisements.

It's about Perl.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: id
Date: April 12, 2008 08:03PM

he's free to post all of the similar but perfect tools that do the exact same thing as fierce does in it's oh so flawed awful way.

-id

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: Gareth Heyes
Date: April 13, 2008 04:52AM

It's not about Perl, it's not about PHP, it's not about Javascript, Java or any other language. Hacking isn't a religion it's knowledge. Writing a tool isn't about conforming to programming standards it's about producing something different or useful.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: thrill
Date: April 14, 2008 11:39AM

@id - He is not going to take his time away from the future killer app from hell that he's writing in a single line of perl to post countering/more effective tools for us to use.. it's just not worth his time considering that the single line of perl he's writing is going to net him billions of dollars in just 6 weeks time.

@Gareth - agreed. But as the saying goes, "If you can, DO, if you can't, Teach, if you can't teach, manage, and if you can't manage, criticize."

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: rsnake
Date: April 14, 2008 09:00PM

I don't have a lot of time to ping pong with every line of this retort so I'll try to make this quick. Let him/them critique all he/they want. I'm glad they at least read my comments though. Maybe not all of it sunk in, but whatever. I just think it's a huge waste of time that they think Perl is an artform that needs to be defended - like a religion more than it's own motto TIMTOWTDI. But like them, everyone has an opinion, perhaps mine is wrong. I always saw Perl as the disorganized slop that made my life a thousand times easier than it was when I was using C. That's the reason I liked it. Now I'm told I have to hate it for the same reason I hated C in the early days. It's apparently too delicate for my brutish ways. At least they know how I feel about things, even if they apparently disagree, or didn't understand me, or whatever.

Once again, I _never_ in a million years would claim I'm a Perl guru. I'm still not even sure why I ended up on this list except apparently the site is not good enough or he/they hates the people on it, or what have you? It's too bad, I try to listen to people's comments and make the site what it should be, when I have the time - which I almost never do. Especially in the early days of the site when I was starting it I would regularly ask people's opinions on what I should write about and research. Everyone said to just keep doing what I was doing. No one ever said, "stop releasing code." At least not until now.

I certainly never intentionally released Fierce as if it was "the shit" or as if I was a bad ass for having written the early versions of it. In IceShaman's defense my early versions were certainly worse before IceShaman added threading in and re-wrote a good chunk for me. Rather I thought (and I could quite possibly be wrong, because neither networking nor programming is my forte - better than most, maybe but definitely not guru status) Fierce did some cool stuff and I hadn't seen this concept elsewhere in quite that way. That was especially true because it was finding RFC1918 in some very big companies that was useful for the Intranet hacking stuff we were working on early last year. Again, if it wasn't useful to people, that's fine. I certainly wasn't forcing it down people's throats.

I made it open source because I wanted others to share in it. No money, nothing. Just a funny graphic, and some cursory testing to make sure it was at least vaguely stable. Meanwhile eating my own dog food and using it regularly, while finding issues here and there, all of which have either been patched or have patches forthcoming in the re-write that is 2.0. If that makes me an irreconcilable douchebag, so be it. I thought people might actually want to use it, even as it stood - ridiculous syntax sloppiness and all.

So to my esteemed colleagues in the Perl Underground I say this, Perl is yours. I never wanted to be a developer and if I never develop another line of code, that would indeed be paradise. It was never my strong suit and never will be, even if I walk circles around most. That is why, happily, I have given up the development of Fierce except for minor patches and have given it to other more capable hands.

Okay, that's it. Enough defending code. It is what it is. Use it or don't. My Perl sucks, it always has, it always will. I am incapable of learning any more about it with my ridiculously tight free time. For good or for bad, I really do have insanely more important things going on.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: thrill
Date: April 15, 2008 11:47AM

I have to admit, that was a very dignified and proper reply. "If you wrestle with a pig you'll both get dirty, but the pig will love it."

Nice one you irreconcilable douchebag! I'll have id take you out for a beer on me! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: fragge
Date: April 15, 2008 05:55PM

The humble reply still doesn't retract from the hilarity of the evaluation - I love those kids at Perl Underground, they crack me up. "and then released it to the world like
# it was big shit and they were bigger. kids, just keep your shitty code to
# yourself." lolololol. Super Mario Bruvvahs lets go eat some mushrooms and get rlly big, and punsh some brix.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: April 15, 2008 06:47PM

You know I really like Perl Underground conceptually. The idea of an faceless group of people dedicated to higher quality code, I think is could be a very good thing. While anonymity is good because it potentially allows for no-holds-barred criticism, it seems that PU is content to frequently slip down the tired h4x0r road of one-upsmanship and semantical masturbation.

Quote

We have a strong commitment to quality Perl code and doing our part
to
support the production and release of the best Perl possible.
...
It's about Perl.
To PU, if the above is true, why not spend time fixing/improving code as opposed to just criticizing, would that not be contributing to the stated goal of seeing the best possible Perl released?
It's sure to do a lot more than 50 comments about lexical variables.

EDIT: Perhaps I'm just nostalgic for those first zines I read when I was kid in the early/mid 90s, but currently their aren't many quality zines that are still produced. Maybe it's because the culture of the internet is so different the earlier BBS culture, but I miss it. Despite it's shortcomings Perl Underground has a relatively high signal/noise ratio in the current environment (of course nowadays that just means it doesn't consist of 3000 lines of IRC logs). It actually contains information that could be useful and that somebody could learn something from. I think that's a good thing, but the immature name calling and religious devotion to minor semantical differences detracts from that usefulness.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 04/15/2008 07:04PM by tx.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Date: April 15, 2008 08:35PM

fragge Wrote:
-------------------------------------------------------
> Super Mario Bruvvahs lets
> go eat some mushrooms and get rlly big, and punsh
> some brix.

Quoted for its epic nature.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: April 16, 2008 01:59AM

@Awesome AnDrEw: seconded.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: fragge
Date: May 12, 2008 10:38PM

RSnake got another zine mention ;)

http://cypher0.h18.ru/zf04.txt

-- RSnake won a pwnie! You came close kuza, but no cigar. Money quote:

"Firstly, in an ever popular category these days, We have our nominations for the
"Most narrowly directed researcher" award. The nominations were:
1. kuza55 -- Some guy who presented at MS's bluehat conference about the
dangers of XSS. XSS effects us all, and we should all work to eradicate it by
writing a tutorial on how to exploit XSS vulns for our local l33t h4qr website
and post a zillion and ten XSS advisories on milw0rm/FD/bugtraq a day.
2. Luigi Auriemma -- A relative newcomer to the security industry, he
has never-the-less been extremely active in posting basic web vulns and easy
stack overflows against Windows apps on milw0rm and FD. I mean, there's nothing
like auditing five year old code that no one uses for strcpy() eh?
3. RSnake -- This man again is well known for his XSS skillz. His
famous XSS cheat sheet provides encodings for things like <, > /, etc in various
formats for people too lazy to code an ASCII/hex/unicode converter or too lazy
to run `man ascii'. A real winner. His web skillz are so legendary that he's
spoken at many conferences and even has several blogs where he talks about such
interesting topics like CSRF (and of course XSS).

Ahem. And the winner is....... RSNAKE!!!! Congratulations Rsnake, you have won
the award for Most Narrowly Directed Researcher! If you'd be so kind, you can
send your acceptance speech to our email address, superheroes@hushmail.com.
Oh, and if you'd like to add another award to your already vast collection,
learn how to use a compiler and you may get another pwnie, that of Biggest
Masturbator."

----------------

I like their eZine, quite funny ;) read the mirc logs from the g00ns and anonymous box ownages. SO MUCH DRAMA ("\(O_O)/")!!!

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: thrill
Date: May 12, 2008 11:26PM

Well, he gets brownie points for being able to actually spell masturbator, however:

Quote

XSS effects us all

Did you mean "affects us all" or is you no nowin engrish?

ahh.. the joys of being perfect and being able to point out others faults.. <g>

EDIT: ha! had a misspelling.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 05/13/2008 12:41AM by thrill.

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Date: May 13, 2008 08:27AM

"Biggest Masturbator"? This is a title surely worth its weight, and competing for.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: rsnake
Date: May 20, 2008 09:07AM

The irony is that this pwnie was posted in the thread where I was getting hammered for writing a DNS enumeration tool. Not exactly XSS related.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: Malkav
Date: May 22, 2008 03:01AM

"quand on veut noyer son chien, on lui trouve des puces" (when you want to drown your dog, you find it has fleas)
whatever you do, there is always so lame bastard to tell you how shitty it is. house politic on this "frankly my dear, i don't give a fuck" (first to reference citation wins a beer in paris (transport and hotel not included))

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: istari
Date: May 22, 2008 03:54PM

"Frankly, my dear, I don't give a fuck." was used in the 1993 film Poetic Justice, starring Tupac Shakur and Janet Jackson. <== Wikipedia owns quotes ;-)

And beware, I just might make you pay that beer next time I'm around Paris :-P

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: tx
Date: May 22, 2008 09:45PM

@istari: win, but -10 for wikipedia.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: sjraptor
Date: May 26, 2008 01:49AM

thrill Wrote:
-------------------------------------------------------
> ahh.. the joys of being perfect and being able to
> point out others faults..
>
> EDIT: ha! had a misspelling.. ;)


Yeah, you have another one too.

> other's

-Marcin
http://tssci-security.com

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: thrill
Date: May 26, 2008 11:25AM

@sjraptor - yeah, I thought about that one, but "other is faults" didn't sound right.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Fierce Scanner Evaluation
Posted by: fragge
Date: May 26, 2008 07:45PM

sjraptor.. its others' mate.. LOL.

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.