			     ==Phrack Inc.==

               Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x0f

|=-----------------=[ P R O P H I L E   O N   S H O K ]=-----------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack Staff ]=-----------------------------=|




|=---=[ Specification

Handle:		Shok
AKA:
Handle origin:	No idea
Age:		older than I look ;)
Born in:	Trinidad
Height/Weight:	[ ] daemon9
		[ ] Kids meal (under 5'7 / under 160 lbs)
		[ ] Regular (5'8-6'5 / 160-200 lbs)
		[X] Supersize (6'5-7'2 / 200-300 lbs)
		[ ] Defcon attendee

Urlz:		http://www.xfocus.net
		http://www.immunitysec.com/GOBBLES
		http://www.datarescue.com/cgi-local/ultimatebb.cgi
Computers: 	'94 486DX (x86 Solaris),
		Dell Inspiron laptop (Mandrake and Win2k)
		IRIX 5.3 R4600
Member of:	Mile High Club


|=---=[ Favorite things

Women: 		intelligent, personable
Cars:		My "ghetto truck" as minus used to call it.. a '93 bare
		bones Toyota pickup
Foods:		Italian, Indian, Turkish
Fruit juice:	chocolate
Music:		Oldies (Diana Ross), Emo (Arthur, Something Corporate),
		Screamo (The Used, Finch), Hardcore (Atreyu, From Autumn
		to Ashes), Punk (Rufio, Slick Shoes), Techno (Oakenfold,
		Van Dyke, Digweed), Classical (Vivaldi), Ska (Five Iron
		Frenzy)
Movies:		Memento, The Dancer Upstairs, Adaptation, Run Lola Run
Books:		Crime and Punishment, Anthem, DaVinci Code, Inside Windows
		2000, Undocumented Windows 2000 Secrets, Solaris Internals,
		Applied Cryptography, Programming Windows Driver Modem
Urls:
I like:		nothing
I dislike:	everything


|=---=[ Life in 3 sentences

I love to learn. I wish I had more time to read. If I had all the money in
the world I would buy a Siberian bride and spend the rest of my life doing
research and going to school.


|=---=[ Hacker Life

PHRACKST4FF: Previously, you had chosen the path of full disclosure and
submitting numerous whitepapers and exploits explaining
what were previously 'unknown' techniques. Also, you're
the founder of a very large and popular 'whitehat' group
which has gain tons of publicity over the years. What has
changed your opinion and made you believe in non-disclosure?

It's not helping anything. I'm not against releasing papers and tools that
advance the field. I'm against releasing information that will obviously
be harmful. So I'm not going to waste my time finding vulnerabilities. If
I write exploits it will be to enhance my skill but I won't release them.
I have always done security because I enjoy it, so I'm just trying to live
life in my own niche.
I think in some cases I put people in harm unnecessarily by not always
contacting or giving ample time to the vendor when releasing vulnerability
information, and I don't really feel now that it has produced much good.
If I could have seen into the future, I would have been comfortable sharing
info with the security community while it was still small until around the
end of 2000 when the information started getting misused in ways that
really only hurt the cause of security. Of course there were probably
some always misusing the information but it was on a tolerable level. Now
after every major vulnerability we see, we have to wonder whether a worm
will be released. It's a watse of time for administrators, family
businesses, whatever to have to deal with this kind of thing. So I guess to
summarize, I would have only participated in disclosure so long as it had
remained for people that found security interesting but weren't interesting
in using it in malicious ways. Since this is no longer the case I will avoid
participating.


|=---=[ Would you work for the government/military? Why or why not?

Good question.. I would really enjoy seeing the echelon capabilities of
NSA, so if I got to work with this kind of stuff I definitely would. Since
it would take a long time to get that kind of clearance, though, I would
be to restless.


|=---=[ Memorable Experiences

The Christmas I got my first computer, the first time I got a buffer
overflow exploit working, the finale to Temptation Island I, trying to
live on the East Coast and hating it, my first earthquake,  first beer
festival in Erlangen, finding arrowheads in the desert and sharks teeth on
the Atlantic ocean, sleeping in the car outside of Innsbruck Austria and
camping out in Saint Gallen Switzerland, getting kissed by GOBBLES,
meeting prym recently and finding him to be a cool guy, getting slapped by
a girl in 8th grade, watching Napster rise and fall, my first psychologist,
my first broken heart, my first roller coaster ride.


|=---=[ What's your architecture of choice? OS of choice?

I'm definitely most comfortable with x86 followed by SPARC. I definitely
have the most fun with Windows because there are still so many unknown
parts of Windows internals that need to be reverse engineered. I like
playing on BSD, Solaris, and Linux equally. I grew up on Linux, though.


|=---=[ Quotes

"Emotion is not a tool of cognition; it is the result of your values. If
emotion was a tool of cognition, it would presuppose determinism because
the right course of action' is already built in you."

"The logical fallacy of argumentum ad ignorantium dictates that the onus
of proof is on he who asserts the logical positive. You cannot take it
literally to deduce the logical positive, you must determine it by the
actual meaning."

"You have to accept an axiom as your base of knowledge."

"I'll get it off Shok's box" -- swr

"w00w00 is p00p00" -- #phrack




|=---=[ Open Interview

Q: How did you get involved in hacking?

Through irc #hackers and #hackerz, which led into trading root shells and
phrack. There was a Swedish hacker named BiT that I would say was the
closest thing to a hacker mentor that I had. I'm not sure whatever
happened to him. I stopped hacking at a really young age when I was still
in the root shell / skript kiddie phase after a close call. The legal
consequences of hacking were never worth the gain to me. So I tried to
find some way to fill the void.. and I mainly did that by looking through
software for vulnerabilities and writing exploits.


Q: If you could turn the clock backward, what would you do different
in your young life ? Would you stick with anti disclosure through out?

At the time I first started I don't think there was such a pronounced
BlackHat movement and a lot of people seemed to do it for the same reasons
I did, so there wasn't such a problem. In the last few years the entry
barriers into security seem a lot lower, and so it is more dangerous
releasing working exploits and things now than in, say, 1998.


Q: More security members (who's lying here?): w00w00 or GOBBLES?

w00w00 doesn't want to hurt the feelings of the much smaller and puny
GOBBLES, so I will not answer that question ;PppppPPpPpp
But anywayz, I do not think w00w00 is really a "group" anymore, mainly
just a social gathering of friends. I don't think we'll be releasing
much anymore. We're all doing our own things.


Q: Favorite phrack.efnet.ru news flash?

BREAKING NEWS: females are not welcome in #phrack anymore


Q: Favorite ~el8 article?

"gobble blaster -- uncle m4v1s"
It was nice to see someone pick on GOBBLES for a change


Q: We heard your friends were the basis for the movie "Antitrust." Can
you explain more about this to us?

Yah it is based on a true story. Just like "Italian Job."


Q: Worse advisory: Palmpilot encryption weakness or XSS ?

My vote would be for XSS. I have a rule on my mail client to just delete
any email with the word XSS in it.


Q: Favorite ~el8 member? (not to unfairly bias the interview process but we
kinda like Kareless KaRL)

Well I would have to say MiKE TySoN. He sounds pretty friendly.


Q: Do you find it ironic that Shaun Fanning's opensource file sharing network
is probably the biggest reason why things like the DMCA have passed in
Congress?

Yes, I realize, and this is why my feelings on full disclosure have
changed. I don't want to reach a point where it is illegal to
discuss security information that may be used to compromise systems and
I'm willing to sacrifice full disclosure to reach that. I wish we could
get back to a point where disclosure was not being abused but I don't
anticipate that happening. It's ironic that the full disclosure movement
will lead to its own demise. The worms and mass rooters that are
being produced from it will only push politicians to get involved.


Q: Kobe Bryant: Guilty or innocent?

Dunno.. that or he likes it rough :)


Q: We understand that before Solar Diz's netscape advisory came out, you
were the undisputed world champion of HEAP EXPLOITATION. Does this sudden
shift in power upset you?

I think Solar Diz was exploiting heap overflows long before me :) I was
mainly putting together my own findings. Solar is amazing, though. Maybe I
will need to make one for Windows too.. I haven't seen Solar publishing
anything for Windows :P


Q: Who would win in a fight, Ja Rule or 50cent?

Man, I'm from the mid-West. I don't even know 50cent.


Q: Who would win in a fight, Dan Bernstein or Wietse Venema?

Dan Bernstein


Q: More lines of original code: OpenBSD or grsecurity?

grsecurity


Q: More 0wned: jobe or seiki ?

I don't know seiki so I can't compare :)


Q: Who the fuck is "Remie" ?

One of dmess0r's old girlfriends that stayed in the w00suite '99 and
became part of the w00family. She's pretty neato.




|=---=[ One word comments

Digital Millenium Copyright Act (DMCA) : (the) beginning
BUGTRAQ : headlines
jobe : heh
TESO : skilled
ADM : missed
w00w00 : 4life
IRC : usenet
GOBBLES : HFG
FAKE PHRACK : fun
phrack.efnet.ru : meanies
PHC : confusing
Full Disclosure Policy : misguided
Projekt M4yhem : telling


|=---=[ Please tell our audience a worst case scenario into what the scene
might turn into.

A fatal STD enters into the irc sex chart... there goes 90% of the scene.
Or if security becomes obsolete and there is nothing else to do. Or if the
current rate of worm outbreaks results in discussing security or
possessing exploits being illegal.

On one hand, I think it would be really bad if everyone kept everything to
themselves and no one shared anything. What would be the fun in that?
Hackers obviously like to share things with other hackers (hence how 0day
gets leaked).. they just want to keep it limited to a group of trusted
friends. So I think you need to allow some amount of communication. I
think it's useful to see papers and tools that advance the field. This is
what I mainly want to focus my time on in the future. Finding
vulnerabilities are a waste of time unless you're going to use them is
a waste of time. Coding exploits can be good in improving your skill, but
posting them is just going to caues more harm than good. But even
blackhats share too many things which spread through the underground and
get leaked. It might be better to focus your attention on the leaking
blackhats. Since these leaking blackhats are more capable of getting their
hands on private exploits than whitehats, I don't know why you don't see
them as the bigger threat.

On the other hand, I don't think releasing exploits is doing very good
either. This constant flood of worms and mass rooters isn't helping
anything. I will bet that in 5 years it will be illegal to release code to
the public that can be used for unauthorized access into computers. Then
Bugtraq will no longer allow exploits to be published, and the
full-disclosure list, if it still exists, will become moderated or the
guy running it will get himself arrested.


|=---=[ And if everything works out fine? What's the best case scenario
you can imagine?

It would be good if there was some point that people were willing to
compromise. Waging a war against whitehats will do no good becaues most
whitehats don't care about the blackhats' opinions.

I wish that people respect each other's rights to their own findings.
Blackhats will never get rid of all whitehats and vice versa. So it would
be better if exploits, tools, and papers could all be copyrighted so as
to ensure they are only used as the author intended. People that chose to
advance the field by releasing papers should be allowed to. People that
want to keep their research to themselves or a select group of people
should be allowed to. I guess it's implicit DRM on security knowledge.
Does that make any sense?


|=---=[ Any suggestions/comments/flames to the scene and/or specific people?

Unix is so 1990s. These worms suck, learn to write better worms. Don't
spend more than 50% of your free time on irc, give women a try
(preferrably one that doesn't know what irc is). Don't complain about
whitehats disclosing stuff until you stop leaking other peoples' warez
first.


|=---=[ Shoutouts & Greetings

To the cute ladies of the scene




|=[ EOF ]=---------------------------------------------------------------=|