Skip to Content

Spies like us don’t talk to you in public..

With great interest I followed the actual discussion of publishing a SAP hack on sdn by Custodio. In this case, it seems to be the one of “bypassing” the registration code for modifications of SAP owns ABAP prgram sourcecode.

As I mentioned in an earlier blog, I worked for a certain period in time for SAP implementations in the surroundings of national agencies. I think, it would be worthwile to share some of the viewpoints of Do’s and Don’ts in the security world in this context.

If you look at “Who is posing threads to IT security in enterprises?” you get a “pyramid”.


On the lower side, but nominal the largest groups, you have the script kiddies. This is named after the lowest security thread where you can observe a daily wave of attacks in any environment, shortly after school is out in the afternoon and the “buddies” trying out the latest basic hacker’s script that they exchanged on the schoolyard. This is also the name for the occassional hacker, that get’s some “exciting tools” from some dark rooms in the internet and try’s them out.

This level is no serious thread and is captured by any regular firewall and security measure. The next level is more serious: The level of professional hackers, sometimes associated with organized crime and corporate espionage. The tools are serious and the countermeasure is difficult. They will attack an average system, buit they will fail at serious contermeasures in hardened security environments.

The last level is well present in all newspaper: National agencies, that are utilizing the ultimate tools. Hard to detect, if secret-service-style technology is involved. Feel sure about the latest TPM 2.0 chips in your laptop? Well, Re-Think.

If you look now into the question, who would be talking about his knowledge?

What would you guess? The answer is easy: Only the script kiddies will brag about their stuff in a public way on the Internet. The “claim for fame” is the driver to share, wanted or not, the knowledge with the world. If you look into the blackhat conferences, you will also notice, that even the professionals will only publish the stuff on “skript kiddie” level or the occassional “hot” zero day exploit that act as great topic to make it into the headlines.

On the professional side, everyone who knows the real exploits will use them either to “blackmail” the targets, when he/she is on the blackhat, the evil side, or will try to make money by selling the so called “zero-day” (fresh unknown) exploits back to the original companies, when he/she is a “whitehat hacker”, the good one. Usually, the company will pay a prime for every zero-day exploit that is discovered.

Same is valid for the programs and tools for the hacks on this professional level. Tthey will be used either for blackhat hacking (bad guys) or pen tests (good guys) and security hardening. But then you will tell your knowledge only to a very specific audience.

Check out the companies that are doing Penetration tests for SAP? Will they even advertise on Google? I doubt that you will find a lot of them by Google Search. I think, in generally, publishing exploits in public forum is no professional behaviour and is only for the purpose of either “fame for script kids” or teasing about the own knowledge.

If you know the serious hacks, you have no interest in sharing this uncontrolled in public, be it white hat or black hat hacks.

You must be Logged on to comment or reply to a post.
  • Hi Holger,

    Nice Blog. I reckon I will follow the security space more often.

    I think, in generally, publishing exploits in public forum is no professional behaviour and is only for the purpose of either “fame for script kids” or teasing about the own knowledge.

    This is pretty much what Robbo said on twitter and I think you are both right.



    • Hi,

      The discussion about responsible disclosure vs full disclosure is old (according to wikipedia it was first raised in 19th century). Claiming that guys who fully disclose bugs are doing it only for fame is gross simplification.

      Playing devil’s advocate. The big vendors are notoriously slow to publish fixes for security vulnerability. Some of them even refuse to fix these issues. I personally reported some vulnerabilities to SAP. It took SAP months to publish fixes for these issues. Is this fair to customers?


      • Hi Martin,

        thanks for your comment. The format of a blog in response to Custodio is limiting the focus of the discussion a little bit. You are right, it is simplifying – but on the other hand, the issue that you adressed should be taken care of by the software companies.

        SAP for example should have a public program for exploits and vulnerability reports and answer with a well defined reward. And it should adress the fixes in a timely manner. like Microsoft with their “Patch Day”. Large companies will slowly recognize the need to work in this way.

        But this can’t be part of this blog. Thanks again for taking part in this discussion