Originally Posted by tomek
well personally, i don't think its that bad. If the guy hacked in the first time, than would do something like post and say, "Hey, your software is vulnerable at xyz and i just proved it." Than you can respect the guy (sort of).
I sort of agree with what you're saying.
I think with a lot of hackers you have to start out as a kid mucking about and having a laugh, that's what sparks interest. (the best example I can come up with is how many people who are electronic engineers started by getting electrocuted, you get hooked on the power and it's capabilities, and then learn how to harness it).
but it's what you do with that power that makes a difference, good hackers (whitehat sense) are the ones who are actively looking for the exploits in software, they are the ones finding the bugs, and reporting them to the developers, not exploiting them in the wild.
bad hackers (blackhat sense) are the kind of guys like these are hack a forum, destroy data etc.
and these guys weren't even that gooder black hat hackers, I mean what sort of decent hackers leave enough information to track them down to their houses?
the funny thing is that in some ways I respect what these guys are doing, if they are serious about being security consultants, then I'd really like to see them progress -there aren't enough good security consultants in this world, sadly due to what they've done here, it's unlikely that they are going to progress on these forums any time soon!
the advice that I'd give to them is this though.
hacking a site then asking for money to fix it is just stupid, all you're doing is making a bad name for your "business". extorting money and leaving a paper trail to your door! now had you done this a different way, marketed yourself as whitehat hackers or penetration testers. you may have been able to agree a price with the admin, and the admin would have invited you to hack their server!
The company I work for do security testing like this, we're paid to do this sort of stuff.
if you really want to do this then this is my advice. (feel free to take it or leave it).
don't hack pages uninvited.
make your home page a web page, with a forum behind it (if you really want a forum) (no business has a forum for a home page).
get yourself a load of test rigs these can be virtual machines and actually try different configurations and hack for yourself, (looking into the details of how premade scripts work for example will give you a useful insight into how the software is put together and how to exploit it).
get yourself some credence, (by this I mean look into standards like ISO2700 or ISO27001 -security or ISO9000/9001 -quality assurance). these are in principal reasonably easy to get. -you just have to prove that you have the knowledge experiences and processes to meet the standards. -they are not difficult to get, and worth a lot to a business.
Then you can go out as real security consultants, earning some real money.
at the end of the day, you guys are 15, with your whole life ahead of you.
doing this kind of crap is reasonably likely to end you up in some kind of trouble, I mean fines, possibly prison, you could have court orders ordering that you're not allowed to use computers or connect to the internet.
do you really want to be flipping burgers because you done some silly stuff as a kid?
On another note, it gave us a lot to talk about this week, and i learned more about vBulletin encryption and how easy it really is to crack MD5. So apart from the admins having some work, it was quite the edification for me. Furthermore it gave the site admin, (JCB i think) an insight into some of the vulnerabilities of his own bulletin board.
This is one of my favourite things about IT, you never stop learning.
i think that a lot of people come into this industry not realising that they will spend the next day of the rest of their lives learning, some new technique, some new technology, some new practise, some new software.