==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x0f |=-----------------=[ P R O P H I L E O N S H O K ]=-----------------=| |=-----------------------------------------------------------------------=| |=------------------------=[ Phrack Staff ]=-----------------------------=| |=---=[ Specification Handle: Shok AKA: Handle origin: No idea Age: older than I look ;) Born in: Trinidad Height/Weight: [ ] daemon9 [ ] Kids meal (under 5'7 / under 160 lbs) [ ] Regular (5'8-6'5 / 160-200 lbs) [X] Supersize (6'5-7'2 / 200-300 lbs) [ ] Defcon attendee Urlz: http://www.xfocus.net http://www.immunitysec.com/GOBBLES http://www.datarescue.com/cgi-local/ultimatebb.cgi Computers: '94 486DX (x86 Solaris), Dell Inspiron laptop (Mandrake and Win2k) IRIX 5.3 R4600 Member of: Mile High Club |=---=[ Favorite things Women: intelligent, personable Cars: My "ghetto truck" as minus used to call it.. a '93 bare bones Toyota pickup Foods: Italian, Indian, Turkish Fruit juice: chocolate Music: Oldies (Diana Ross), Emo (Arthur, Something Corporate), Screamo (The Used, Finch), Hardcore (Atreyu, From Autumn to Ashes), Punk (Rufio, Slick Shoes), Techno (Oakenfold, Van Dyke, Digweed), Classical (Vivaldi), Ska (Five Iron Frenzy) Movies: Memento, The Dancer Upstairs, Adaptation, Run Lola Run Books: Crime and Punishment, Anthem, DaVinci Code, Inside Windows 2000, Undocumented Windows 2000 Secrets, Solaris Internals, Applied Cryptography, Programming Windows Driver Modem Urls: I like: nothing I dislike: everything |=---=[ Life in 3 sentences I love to learn. I wish I had more time to read. If I had all the money in the world I would buy a Siberian bride and spend the rest of my life doing research and going to school. |=---=[ Hacker Life PHRACKST4FF: Previously, you had chosen the path of full disclosure and submitting numerous whitepapers and exploits explaining what were previously 'unknown' techniques. Also, you're the founder of a very large and popular 'whitehat' group which has gain tons of publicity over the years. What has changed your opinion and made you believe in non-disclosure? It's not helping anything. I'm not against releasing papers and tools that advance the field. I'm against releasing information that will obviously be harmful. So I'm not going to waste my time finding vulnerabilities. If I write exploits it will be to enhance my skill but I won't release them. I have always done security because I enjoy it, so I'm just trying to live life in my own niche. I think in some cases I put people in harm unnecessarily by not always contacting or giving ample time to the vendor when releasing vulnerability information, and I don't really feel now that it has produced much good. If I could have seen into the future, I would have been comfortable sharing info with the security community while it was still small until around the end of 2000 when the information started getting misused in ways that really only hurt the cause of security. Of course there were probably some always misusing the information but it was on a tolerable level. Now after every major vulnerability we see, we have to wonder whether a worm will be released. It's a watse of time for administrators, family businesses, whatever to have to deal with this kind of thing. So I guess to summarize, I would have only participated in disclosure so long as it had remained for people that found security interesting but weren't interesting in using it in malicious ways. Since this is no longer the case I will avoid participating. |=---=[ Would you work for the government/military? Why or why not? Good question.. I would really enjoy seeing the echelon capabilities of NSA, so if I got to work with this kind of stuff I definitely would. Since it would take a long time to get that kind of clearance, though, I would be to restless. |=---=[ Memorable Experiences The Christmas I got my first computer, the first time I got a buffer overflow exploit working, the finale to Temptation Island I, trying to live on the East Coast and hating it, my first earthquake, first beer festival in Erlangen, finding arrowheads in the desert and sharks teeth on the Atlantic ocean, sleeping in the car outside of Innsbruck Austria and camping out in Saint Gallen Switzerland, getting kissed by GOBBLES, meeting prym recently and finding him to be a cool guy, getting slapped by a girl in 8th grade, watching Napster rise and fall, my first psychologist, my first broken heart, my first roller coaster ride. |=---=[ What's your architecture of choice? OS of choice? I'm definitely most comfortable with x86 followed by SPARC. I definitely have the most fun with Windows because there are still so many unknown parts of Windows internals that need to be reverse engineered. I like playing on BSD, Solaris, and Linux equally. I grew up on Linux, though. |=---=[ Quotes "Emotion is not a tool of cognition; it is the result of your values. If emotion was a tool of cognition, it would presuppose determinism because the right course of action' is already built in you." "The logical fallacy of argumentum ad ignorantium dictates that the onus of proof is on he who asserts the logical positive. You cannot take it literally to deduce the logical positive, you must determine it by the actual meaning." "You have to accept an axiom as your base of knowledge." "I'll get it off Shok's box" -- swr "w00w00 is p00p00" -- #phrack |=---=[ Open Interview Q: How did you get involved in hacking? Through irc #hackers and #hackerz, which led into trading root shells and phrack. There was a Swedish hacker named BiT that I would say was the closest thing to a hacker mentor that I had. I'm not sure whatever happened to him. I stopped hacking at a really young age when I was still in the root shell / skript kiddie phase after a close call. The legal consequences of hacking were never worth the gain to me. So I tried to find some way to fill the void.. and I mainly did that by looking through software for vulnerabilities and writing exploits. Q: If you could turn the clock backward, what would you do different in your young life ? Would you stick with anti disclosure through out? At the time I first started I don't think there was such a pronounced BlackHat movement and a lot of people seemed to do it for the same reasons I did, so there wasn't such a problem. In the last few years the entry barriers into security seem a lot lower, and so it is more dangerous releasing working exploits and things now than in, say, 1998. Q: More security members (who's lying here?): w00w00 or GOBBLES? w00w00 doesn't want to hurt the feelings of the much smaller and puny GOBBLES, so I will not answer that question ;PppppPPpPpp But anywayz, I do not think w00w00 is really a "group" anymore, mainly just a social gathering of friends. I don't think we'll be releasing much anymore. We're all doing our own things. Q: Favorite phrack.efnet.ru news flash? BREAKING NEWS: females are not welcome in #phrack anymore Q: Favorite ~el8 article? "gobble blaster -- uncle m4v1s" It was nice to see someone pick on GOBBLES for a change Q: We heard your friends were the basis for the movie "Antitrust." Can you explain more about this to us? Yah it is based on a true story. Just like "Italian Job." Q: Worse advisory: Palmpilot encryption weakness or XSS ? My vote would be for XSS. I have a rule on my mail client to just delete any email with the word XSS in it. Q: Favorite ~el8 member? (not to unfairly bias the interview process but we kinda like Kareless KaRL) Well I would have to say MiKE TySoN. He sounds pretty friendly. Q: Do you find it ironic that Shaun Fanning's opensource file sharing network is probably the biggest reason why things like the DMCA have passed in Congress? Yes, I realize, and this is why my feelings on full disclosure have changed. I don't want to reach a point where it is illegal to discuss security information that may be used to compromise systems and I'm willing to sacrifice full disclosure to reach that. I wish we could get back to a point where disclosure was not being abused but I don't anticipate that happening. It's ironic that the full disclosure movement will lead to its own demise. The worms and mass rooters that are being produced from it will only push politicians to get involved. Q: Kobe Bryant: Guilty or innocent? Dunno.. that or he likes it rough :) Q: We understand that before Solar Diz's netscape advisory came out, you were the undisputed world champion of HEAP EXPLOITATION. Does this sudden shift in power upset you? I think Solar Diz was exploiting heap overflows long before me :) I was mainly putting together my own findings. Solar is amazing, though. Maybe I will need to make one for Windows too.. I haven't seen Solar publishing anything for Windows :P Q: Who would win in a fight, Ja Rule or 50cent? Man, I'm from the mid-West. I don't even know 50cent. Q: Who would win in a fight, Dan Bernstein or Wietse Venema? Dan Bernstein Q: More lines of original code: OpenBSD or grsecurity? grsecurity Q: More 0wned: jobe or seiki ? I don't know seiki so I can't compare :) Q: Who the fuck is "Remie" ? One of dmess0r's old girlfriends that stayed in the w00suite '99 and became part of the w00family. She's pretty neato. |=---=[ One word comments Digital Millenium Copyright Act (DMCA) : (the) beginning BUGTRAQ : headlines jobe : heh TESO : skilled ADM : missed w00w00 : 4life IRC : usenet GOBBLES : HFG FAKE PHRACK : fun phrack.efnet.ru : meanies PHC : confusing Full Disclosure Policy : misguided Projekt M4yhem : telling |=---=[ Please tell our audience a worst case scenario into what the scene might turn into. A fatal STD enters into the irc sex chart... there goes 90% of the scene. Or if security becomes obsolete and there is nothing else to do. Or if the current rate of worm outbreaks results in discussing security or possessing exploits being illegal. On one hand, I think it would be really bad if everyone kept everything to themselves and no one shared anything. What would be the fun in that? Hackers obviously like to share things with other hackers (hence how 0day gets leaked).. they just want to keep it limited to a group of trusted friends. So I think you need to allow some amount of communication. I think it's useful to see papers and tools that advance the field. This is what I mainly want to focus my time on in the future. Finding vulnerabilities are a waste of time unless you're going to use them is a waste of time. Coding exploits can be good in improving your skill, but posting them is just going to caues more harm than good. But even blackhats share too many things which spread through the underground and get leaked. It might be better to focus your attention on the leaking blackhats. Since these leaking blackhats are more capable of getting their hands on private exploits than whitehats, I don't know why you don't see them as the bigger threat. On the other hand, I don't think releasing exploits is doing very good either. This constant flood of worms and mass rooters isn't helping anything. I will bet that in 5 years it will be illegal to release code to the public that can be used for unauthorized access into computers. Then Bugtraq will no longer allow exploits to be published, and the full-disclosure list, if it still exists, will become moderated or the guy running it will get himself arrested. |=---=[ And if everything works out fine? What's the best case scenario you can imagine? It would be good if there was some point that people were willing to compromise. Waging a war against whitehats will do no good becaues most whitehats don't care about the blackhats' opinions. I wish that people respect each other's rights to their own findings. Blackhats will never get rid of all whitehats and vice versa. So it would be better if exploits, tools, and papers could all be copyrighted so as to ensure they are only used as the author intended. People that chose to advance the field by releasing papers should be allowed to. People that want to keep their research to themselves or a select group of people should be allowed to. I guess it's implicit DRM on security knowledge. Does that make any sense? |=---=[ Any suggestions/comments/flames to the scene and/or specific people? Unix is so 1990s. These worms suck, learn to write better worms. Don't spend more than 50% of your free time on irc, give women a try (preferrably one that doesn't know what irc is). Don't complain about whitehats disclosing stuff until you stop leaking other peoples' warez first. |=---=[ Shoutouts & Greetings To the cute ladies of the scene |=[ EOF ]=---------------------------------------------------------------=|