15

So it's something we're kicking around in chat for a while about a specific question, but I think it goes to the style of the site. We as a community are answering blackhat style questions. Do we want to impose a requirement that all questions regarding vulnerability exploitation also include a remediation?

If we do not, this site may degenerate into a specification of attacks, without providing real value to those practicing network defense. Seeing it from a pen tester's point of view, that's useful to perform a job, but it also gives the bad guys a resource as well. If we're willing to do that, I think it's our responsibilty to provide resources to mitigate these issues.

What are some ways we might format our questions to require this, and would it be something we would update the FAQ with?

4 Answers 4

Reset to default
17

I'm not so sure.
It's perfectly valid, even in a whitehat PoV, to be asking only about the attack, exploit, vector, payload, whatever.
Sometimes it's for a pentest (where mitigation may not be relevant), sometimes its for a tricky bit to find the right e.g. evasion (but the mitigation is clear - e.g. how to exploit a filtered XSS, but fixing XSS is simple and standard).

Either way, forcing the fix into the question and/or answer just muddles things up, and makes it messier all around.

And, we're not really preventing blackhats with this, since they can trivially ask for the mitigation, and then promptly ignore it.
Nothing to do about that, c'est la vie - cellphones can be used by terrorists too ;).

At some point, we need to rely on human sense - our collective noses for what is hinky, and what just needs to be slightly edited.
I think we've been doing a good job so far.

1
  • 3
    I agree. Requiring extra steps in an answer doesn't mean the questioner will make use of those steps.
    – user185
    Commented Jun 12, 2011 at 15:15
9

Speaking as a fully white-hat person (I'm a developer whose products are sometimes part of a security infrastructure, and an occasional system administrator), I think the site is doing fine as it is. Talking about attacks does provide value for me; it tells me what I'm supposed to defend against. When designing a defense, a lot of the difficulty is imagining how it could be breached.

Why would a thread about an attack require a remediation? Conversely, should a thread about a defense include a way to bypass it?

The site is doing just fine right now. It would definitely suffer if we started rejecting questions just because they're too black.

0
4

Blackhat and Whitehat need not be kept completely separate... pilots learn to handle emergency situations by simulating them (either virtually or by shutting of an engine midflight) in order to learn. Security officials need to 'force' situations (conduct 'blackhat' exercises) in order to learn how to cope in the real world.

Take the 'blackhat' information and questions for what they are, learn from them and apply it to your 'whitehat' world.

3
  • 1
    I think you're misunderstanding what "blackhat" means, at least to the majority of users here (and security professionals in general). Blackhat are not simulations, you cannot conduct "blackhat exercises" - blackhat is malicious. The problem is not "simulated attacks" - of course we allow, and encourage, those - the problem is those questions with malicious intent.
    – AviD Mod
    Commented Jun 26, 2011 at 8:32
  • 1
    @AviD: Presumably the black hats are smart enough to obfuscate their intentions? "Hi, I'm a white-hat helping someone secure their website, and..." See here: stackoverflow.com/questions/6681549/…
    – Robert Harvey
    Commented Jul 14, 2011 at 23:43
  • @Robert, I agree, see my answer. My point was that "blackhat" is about intention, which we'd ideally like to disallow - difficult though that is - and not just a "simulation" issue...
    – AviD Mod
    Commented Jul 15, 2011 at 6:55
2

I agree with this - it has been a worry of mine since the start. The really obvious ones get ditched, but we have been erring on the side of allowing ones where we could justify it as a white-hat method.

I like this idea of requiring remediation - we could easily edit into each question that looks a bit black hat-ish, and we can add a note to the FAQ.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .