Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Whitehat or what?
Posted by: ckore
Date: February 13, 2007 07:34AM

I've read several articles on xss now and tried the one or other thing over the last few months. I'm not a beginner any more (I think), but I'm far away from being expert. With knowledge, there comes responsibility and I just wanted to ask you guys how you deal with it. I check for holes here and there, I even found a nice SQL-Injection giving me the md5'ed passwords of 3000+ users (I tried to decrypt around 30 of them by using rainbowtables and I didn't find only 4 of them). I got a cookie logger running on the one or other site gathering cookies and so on.

I'm not evil or so, I don't want to harm anybody, but somehow I'm also not really a whitehat. I catch myself thinking of keeping possiblities open. I don't want to contact webmasters and so on, because this means the source of information (passwords, cookies) would run dry. Maybe, if I gather the one or other experience and knowledge, this will change, but at the moment I feel comfortable with having possiblities ;)

How do you guys handle your knowledge? Do you tell webmasters that they have holes in their websites? Do you make the hole public to force them to close the hole? Do you launch a worm or whatever to show them that they have a hole or do you simply don't care :) ?

Options: ReplyQuote
Re: Whitehat or what?
Posted by: jungsonn
Date: February 13, 2007 11:17AM

You're greyhat then? well, there are many shades of black ;)

I'm not into hats, those look silly nowadays ^^ But if I must pick a color for my hat I will choose some swatch between white and black, so makes me gray I guess.

Somtimes I tell siteowners, sometimes not. it's not my job todo so. But if i'm in a good mood I will type a mail. But given the response you get back it doesn't look prommising or rewarding to really tell them. Some will bark at you, if that happens I quickly think: I'll better walk away, let them figuring things out themselfs.

Options: ReplyQuote
Re: Whitehat or what?
Posted by: Kyran
Date: February 13, 2007 11:23AM

I want a nice Fedora.
Maybe a red one.
Oops, wrong analogy.

- Kyran

Options: ReplyQuote
Re: Whitehat or what?
Posted by: rsnake
Date: February 13, 2007 11:48AM

Slightly off topic, but you reminded me I wanted to write this: http://ha.ckers.org/blog/20070213/guessing-passwords/

Options: ReplyQuote
Re: Whitehat or what?
Posted by: ckore
Date: February 13, 2007 12:21PM

I'm not too familiar with the "hat"-jargon Kyran, so if it isn't called whitehat or whateverhat today, I'm sorry.

Options: ReplyQuote
Re: Whitehat or what?
Posted by: id
Date: February 13, 2007 01:56PM

Don't do bad things to people who don't deserve it.

Don't get caught doing bad things to people who do.

It's all pretty easy until you try and define who deserves what.

-id



Edited 1 time(s). Last edit at 02/13/2007 01:57PM by id.

Options: ReplyQuote


Sorry, only registered users may post in this forum.