How do you feel about sharing your knowledge?

[fuicious]

This has been on my mind for quiet some time now. I've been thinking of the possible benefits and disadvantages of sharing your knowledge with someone. Does that sound crazy to you? As I haven't been able to reach a conclusion for myself yet, I thought it might be interesting to hear your opinions on this topic. Some of you might say that there are no disadvantages at all, but I must disagree. I mean, we live in a time where information is power. The more you have, the more powerful you are (or maybe you just feel more powerful). The more you give away, there more powerful people around get, which may or may not be good, depending on who we're talking about. I'm pretty convinced that people in general like to feel more powerful than others. That might be one reason that they wanna keep information for themselves. However, sharing knowledge improves our status in the community we're part of (if we are), and that leads to some personal benefits. We get "rewarded". We also improve our communication skills by teaching others. That's very important, I think. It makes me feel good to be able to help other people, but I can't deny that I sometimes find it hard to share something I had worked hard on to finish. Not talking about anything specific here. Neither am I referring to myself as a knowledgeable person, just talking about stuff in general. I believe you get the idea. Now, are we always expecting something in return when sharing something of our own? In my opinion, we are, it's just that the reward is different for everyone. For some it's a satisfying feeling while for others it's some material reward. I'm aware of the fact that sharing is essential for a hacker community. All the more reason I wanna hear your thoughts on this one. How do you feel about it? Do you always expect something in return? How do the ones of you with most reputation feel about it? Do you feel like you don't get much in return, because there aren't many people around here who know more than you? I could go on with the question, but I'm pretty sure you got the point by now. I'm also aware that, as I'm a newbie, this topic might not get too much attention, but that's ok. Just wanted to give it a try.

[white-knight]

Sharing knowledge is why we are here ..


Only disadvantage I could see in sharing information on a forum is if you share to much personal info.


Besides online I could see not wanting to share all your knowledge in say the work place , so you don't work yourself out of a job and so on .


The only thing I would like in return of shared knowledge is the hope it helps others and they will help others also to keep the cycle going. The world  needs more people with common sense and some knowledge and less fuckwits that can't chew bubble gum and walk at the same time.


just my opinion tho

[fuicious]

Sharing knowledge is why we are here ..


Only disadvantage I could see in sharing information on a forum is if you share to much personal info.


Besides online I could see not wanting to share all your knowledge in say the work place , so you don't work yourself out of a job and so on .


The only thing I would like in return of shared knowledge is the hope it helps others and they will help others also to keep the cycle going. The world  needs more people with common sense and some knowledge and less fuckwits that can't chew bubble gum and walk at the same time.


just my opinion tho

Well I understand that is what hackers do and I've already said that. You say the only disadvantage is sharing too much personal info... But if you don't feel comfortable enough around a certain group of people to share your personal info with them, why are you comfortable teaching them stuff? Don't you worry your knowledge might be misused. You're a good person if the only thing you're looking for in return is "hope it helps people", but you're one individual and not everyone thinks like that. Was happy to hear your opinion .

[white-knight]

Don't you worry your knowledge might be misused. You're a good person if the only thing you're looking for in return is "hope it helps people", but you're one individual and not everyone thinks like that. Was happy to hear your opinion .

Id rather it not be misused but no way to control that sometimes. But most of the time from the way a person posts a question you can already tell how they would use the information. and usually no one helps them.


As you can see in this post https://evilzone.org/hacking-and-security/how-can-i-hack-a-website-without-sql-injection(index-php-withoutid)/

[Blackoutt]

I usually like to share information, but i'm not solving the problem for others. I give directions and if the person is really interested, with the info I gave is enough to find the answer.

With this you can identify who really want to know and learn and who only want to hack everything and everyone with no efort.

[silenthunder]

The key to knowledge is not possessing the knowledge itself, but knowing how to obtain knowledge when it is needed. I will not give out information, and I will not teach anyone how to perform any task. If somebody comes to me seeking guidance with something that's new to them, I take into consideration what their goal is, what knowledge they already have, and the general situation of interest; then I give them a simple task, essentially telling them what to do, that will cause them to have an epiphany of the knowledge they sought from me and thus giving them the pleasure of having figured it out on their own.

[fuicious]

The key to knowledge is not possessing the knowledge itself, but knowing how to obtain knowledge when it is needed.

I like the idea very much, thank you.

I will not give out information, and I will not teach anyone how to perform any task. If somebody comes to me seeking guidance with something that's new to them, I take into consideration what their goal is, what knowledge they already have, and the general situation of interest; then I give them a simple task, essentially telling them what to do, that will cause them to have an epiphany of the knowledge they sought from me and thus giving them the pleasure of having figured it out on their own.

A very clever approach. I also believe that people learn better when they struggle a little bit with some task. Does it make you satisfied when they successfully finish the task with your help? Just wondering.

[0E 800]

85% communication is non-verbal. Or something like that.

Something about all of us standing on the shoulders of devils er, i mean giants.

Here is how I see it.

You find a loop in the system where you can get Food Stamps or Government Assistance by means of some trick in the system you happened to discover. So not only are you making fat stacks from working your 40/hr a week job, but your also taking in food vouchers and cash aide from the government.

Well you have a neighbor or friend or relative that you know who is really having tough times and you want to share with him this loop hole trick...

The problem with sharing this kind of information is that you cant be sure the person your sharing it with is NOT going to share it with someone else. If they do share this info then there is a high probability that when enough people take advantage of the loop hole, the hole will get found and patched and now no-one will be getting the advantage.

I see this type of scenario all the time. People trying to be nice but end up making it worse on the people 'in the know' .

Something about nice guys finishing last.

However, sometimes there isnt anything you can do about it. Sometimes you give away your secrets without even knowing it.

Dunno if you guys watch much Star Trek but Captain Jean-luke had the responsibility of helping alien nations in distress without giving them the technology to do it themselves.

[shome]

I like sharing information with people. Sometimes, reiterating knowledge helps me absorb it better than if I didn't share it all. I do know some folks though (Personally, not on this forum.. Well, maybe occasionally on this forum) that just do NOT want to fucking read, or do any research on their own.

I've been at this since I was 13 or 14, and spent MANY hours on my own learning how things work, and sharing that information with people I will never meet in 20 lifetimes. I love every second of it. As i've gotten older, i've learned to have more balance in life, but the one thing that always remains is that some people just demand to be spoon fed.

I love what we do, and love being apart of this community. Every day I run into things i've never seen or heard of before and it's always awesome when there is that one person on the boards or on the irc that can spill a little bit in real time and save me a trip to...... google .

[fuicious]

You find a loop in the system where you can get Food Stamps or Government Assistance by means of some trick in the system you happened to discover. So not only are you making fat stacks from working your 40/hr a week job, but your also taking in food vouchers and cash aide from the government.

Well you have a neighbor or friend or relative that you know who is really having tough times and you want to share with him this loop hole trick...

The problem with sharing this kind of information is that you cant be sure the person your sharing it with is NOT going to share it with someone else. If they do share this info then there is a high probability that when enough people take advantage of the loop hole, the hole will get found and patched and now no-one will be getting the advantage.

That is a good example of a situation where sharing info can lead to disadvantages. I guess in the end it all depends on the person and the situation.

Sometimes, reiterating knowledge helps me absorb it better than if I didn't share it all.

I must agree with you on that. And it really is irritating when you see someone hasn't even tried to do it before reaching out for help.

[Deque]

This has been on my mind for quiet some time now. I've been thinking of the possible benefits and disadvantages of sharing your knowledge with someone. Does that sound crazy to you? As I haven't been able to reach a conclusion for myself yet, I thought it might be interesting to hear your opinions on this topic. Some of you might say that there are no disadvantages at all, but I must disagree. I mean, we live in a time where information is power. The more you have, the more powerful you are (or maybe you just feel more powerful). The more you give away, there more powerful people around get, which may or may not be good, depending on who we're talking about. I'm pretty convinced that people in general like to feel more powerful than others. That might be one reason that they wanna keep information for themselves. However, sharing knowledge improves our status in the community we're part of (if we are), and that leads to some personal benefits. We get "rewarded". We also improve our communication skills by teaching others. That's very important, I think. It makes me feel good to be able to help other people, but I can't deny that I sometimes find it hard to share something I had worked hard on to finish. Not talking about anything specific here. Neither am I referring to myself as a knowledgeable person, just talking about stuff in general. I believe you get the idea. Now, are we always expecting something in return when sharing something of our own? In my opinion, we are, it's just that the reward is different for everyone. For some it's a satisfying feeling while for others it's some material reward. I'm aware of the fact that sharing is essential for a hacker community. All the more reason I wanna hear your thoughts on this one. How do you feel about it? Do you always expect something in return? How do the ones of you with most reputation feel about it? Do you feel like you don't get much in return, because there aren't many people around here who know more than you? I could go on with the question, but I'm pretty sure you got the point by now. I'm also aware that, as I'm a newbie, this topic might not get too much attention, but that's ok. Just wanted to give it a try.

Thanks for this discussion, because it is indeed a question I struggle with up to this day. But I believe for different reasons.

I mean, we live in a time where information is power. The more you have, the more powerful you are (or maybe you just feel more powerful). The more you give away, there more powerful people around get, which may or may not be good, depending on who we're talking about. I'm pretty convinced that people in general like to feel more powerful than others. That might be one reason that they wanna keep information for themselves.

This is nothing I ever think about, because reading information and applying that to the real world are two different steps. A lot of people fail at doing the second.
Maybe it depends on the kind of information I share, but my contributions are usually not of the kind:
"How can I break into website XY.com" and "How to crack program XY"
But more of the kind:
 "How do I Program" or "How to reverse engineer malware"

The first examples are guides no ones learns from. They are step-by-step to achieve a very specific goal, often without explanations of the background and how it works.
The second teach the very basics of a skill, often theoretical stuff, sometimes more practical but still nothing you can immediately use in the real world, because you have to exercise a lot to get to that point.

Knowledge means power? Yes, but only if you can apply it to similar problems. In order to be able to do that the person reading your "shared information" still has to work hard. Just maybe not as hard as you, because you made some things easier for the reader.

So no, I do not have any fear that everyone will suddenly get powerful and I have nothing to share anymore. That just does not happen and did not happen in any of those years. I have still more I would like to share than I have time to write it.

Do leechers repost my tutorials and tools?
Yes they do, often so by pretending they have written these by themselves.
But the type of forums they are in, are not the ones you want to get a good reputation anyways. If they have no idea what they are talking about (and these leechers don't have, otherwise they would publish their own stuff), I am sure that any decent community will see that soon. They cannot answer any questions related to their tutorials properly. They cannot fix bugs in the code that you point out (often they cannot even compile it).
So, no, this is not the problem with sharing information. It happens and I can live with it.

My problem is still that of ethics. I did create a thread about this in the past and most people here do not see that as a problem.
I wrote and published some codes that can and have been used to build malware (the codes itself weren't destructive and just PoCs, but people used it for malicious stuff).
I removed it to trash, removed it back, removed it to trash again, removed it to VIP.
I still don't know if that is right to do.

I love to share knowledge without any restrictions, without people pointing out that these things can be used for bad. Let's face it, in most countries you are not even allowed to reverse engineer anything without being criminalized. If you only mention that topic you might get ridiculous responses. These people don't see that reverse engineers are also the ones who protect them, e.g., by analysing malware. So this knowledge that can be used for both good and bad must be exchanged more freely or the bad guys will be the only ones that have and can use this knowledge. If these things are punished and restricted you will have no person that fights for everyone's protection.

On the other hand there are some kinds of information that are more likely to be used maliciously than they are beneficial for protection.
I love to exchange ways how malware works, I love to share proof-of-concept codes for spreading techniques and similar, but I feel guilt if I do it too explicitly. Because I know if I publish similar stuff that this will happen again. People will see my code and use it maliciously.
I am spending all of my worktime and most of my freetime to fight malware, I don't want to help people to create it. So I always consider if the benefits of sharing are worth it.

Similar problem: http://securityaffairs.co/wordpress/39419/cyber-crime/ransomware-open-source.html
What educational benefit does this open source ransomware have and does this outweigh the risk of it being modified and used maliciously?
I think it doesn't, because it shares nothing new for the protectors. It is a crappy written piece of malware with no new techniques or similar. Everyone with decent knowledge in programming could write a better malware.
But this code gives an easy way for every skid with a minimum of programming knowledge to compile their own ransomware. And skids will and will do so successfully, because a lot of ransomware victims are not informed enough to see that they can actually get their files back without paying a ransom.

[0E 800]

^ responding to above, didn't want to quote the whole thing.

I just wanted to mention that Deque's example: the open source ransomeware, does have a flip side.
I would guess that all exploits no matter how skiddy do have a silver lining - it increases awareness for computer security and allows malware analysts to create more robust solutions for preventing future infections.

I would compare it to a cold virus. Once your body has eliminated the virus, antibodies prevent the same virus from infecting again. In some cases, even when the virus has mutated and you catch a variant of the same virus, the symptoms are not as bad.

I am not a professional, this is just my opinion.

[proxx]

There is always the balance between sharing some source examples or weaponized executeables that any moron can use , thats when you know it is going to be abused on a massive scale, scale is really the only thing that is at stake.
Most won't be able to compile something that works from a bunch of code, it'll do vs the 99%, the remaining part probably knows what it is doing be it malicious or not.

Backtrack or Kalilinux is a perfect example of shared data/tools.
Some tools require quite some (linux) skill to setup , for anyone who compiled shit from some git --> endless stream of missing libs/deps , party on ,grab a beer coz thats gonna take a while , after all the compile errors you need to setup a DB( and the obscure config file that uses a syntax new to mankind).
Sometimes I am lazy too , not going through the hazzle, downside be that them skids gonna fire up all kinda magic-pop-and-pwn-youtube-tricks (holymary ugh)
What I especially dislike is the media attention it gets which sets a bad stage for anyone interested in the field , there is always something to defend when talking about security as a hobby or job.

Sharing skills/knowledge on such a broad spectrum is a pain to the community , but its the internetz what you gonna do , all them kiidz wanna be true haxx0rs and there is noone to stop them.

I rest my case.

[Deque]

Thanks for your input.

it increases awareness for computer security and allows malware analysts to create more robust solutions for preventing future infections.

The former, yes. But raising awareness could be done in less dangerous ways too.

The latter: No, I doubt that. This is just another piece of crap taking time away from malware analysts that we would rather spend on creating these solutions you are talking about. There is nothing new in that malware, nothing we don't already know. Yet we have to spend the time to create a static signature in case someone wants to use the plain malware (which no one does).

Here are statements of the author utkusen:
https://github.com/utkusen/hidden-tear/issues/3 https://github.com/utkusen/hidden-tear/issues/7

if i can create a ransomware which can bypass antivirus programs, i publish the source codes. if i don't, somebody will code it and sell it in underground. i don't see any problems with my practise. if you will be happy by my death, i will die someday, eventually.

I explained before why I didn't use asymmetric encryption. I didn't want to make this program so advanced. My point wasn't causing a chaos. It's just a sample which shows that how we can use basic encryption techniques to create a malware.

The statement that this malware "can bypass antivirus programs" is based on nodistribute results: http://nodistribute.com/result/6a4jDwi83Fzt

But sites like nodistribute and virustotal only check if an AV can detect the malware via static signatures.
They do not take into account if the AV:
* detects the malware via behavioural observation
* detects the file via emulation
* protects from the ransomware-typical infection vectors

Static signatures are just not feasible for yet unknown malware. Any potential attacker will only release a version of this ransomware that is not detected anymore. All they have to do is to apply a protector that is usually not unpacked by AVs and also commonly used by good software.
Showing that it is easy to create malware that bypasses static signatures is like saying "I can write a sentence no one wrote before". What a great accomplishment. Everyone knows that. What is the point?

That's why we have the other protection schemes that are actually designed to defend against new malware. But everyone ignores them, because they are quite time-consuming to test on a massive scale.
Just look at the hybrid-analysis result for hiddentear: https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4
It has a score of 100/100, lots of its behaviour hints to being malicious, so does the heuristic analysis of static information. It shows that an AV will very likely protect from this malware even without static signatures.

The only advantage that I see: If a skid really uses most of utkusens code, the damage done by the ransomware can be reversed. The code only uses symmetric encryption and a decryption tool can be created for everyone's use.

[fuicious]

Thanks for this discussion, because it is indeed a question I struggle with up to this day.

You're a welcome. Same here, I hope this thread clarifies it a little bit for us. It's always good to hear different opinions. This is another interesting advantage of sharing (thoughts in this case, but  can be applied to general konwledge I guess). You get to hear different opinions and critique and you can learn from it.
You said that that a lot of people fail with applying what they know to real world problems and I agree. But if you give guidelines to someone who is persistent enough to learn by himself how to apply his skills for bad purposes, that's even more dangerous imo than giving
some malware to a skid that will only be able to use that one piece of code.
About ethics... You can never be sure. The only choice, in my opinion, is to make a decision for yourself, how you believe you're helping making something more secure, by sharing or not, and just stick with it.
I would like to point out something else.
So I guess that both sharing and not can lead to different kind of problems. However, there is this undeniable advantage of sharing. Together we are able to advance a lot faster than we are by ourselves. It does lead to development, be it good or bad.