Re: Extreme Hacking

[Brad J Passwaters <bjp () eng us uu net>]

On Wed, 7 Jul 1999, Darren Reed wrote:

> > Knowing the potential vulnerabilities of a system is the first step towards
> > making it secure.  It's even better if you can get ahead of the curve and
> > discover new methods of breaking into a system that aren't yet public
> > knowledge -- your systems will be that much more secure.  Who better to
> > secure a system against crackers than a cracker, provided you trust them?
>
> Knowing how to break into a system does not provide knowledge in making it
> secure.  Whilst there is definately some feedback between the two, one does
> not imply the other.  For example, how does knowing to run program B with
> host X as the target, resulting in shell access help me in securing it ?
> Disabling and removing what ever is responsible for allowing program B to
> work is not an acceptable answer.

Knowing that running program A will get you a root shell
does not help you secure your system.  Understanding that 
service FOO is vulnerable to a buffer-overflow due to a poor
choice of system calls is quite useful.  I would hope that 
a security class would teach more than how to be a script kiddie.

It should be noted that the price for the class does set a bar to entry
that should eliminate most cracker-wannabes
 
> > > Am I the only person who has a problem with the idea of someone
> > > teaching hacking techniques? Sometimes I think I am.
> >
> > See above.  It's one thing to teach someone how to secure a system, but if
> > they don't know *why* what they're doing will secure it or further be able
> > to notice other vulnerabilities in the system that weren't pointed out to
> > them then at best they will be a second-rate security expert.
>
> But E&Y aren't teaching you how to secure a system, they're teaching you
> how to commit a crime, unless breaking into systems isn't a crime where
> they're taking those classes.

They are not teaching you how to commit a crime.  I can break into
systems all day as long as I 1) have permission or 2) own the system.
Most knowledge can be used to commit a crime.  High speed precision
driving could be used to break traffic laws. Any training with firearms
could be used to kill or injure.  Books and information on lockpicking
should certainly be outlawed.

> [...]
> > I also don't mean to glamorize crackers (hackers are people that write code,
> > why is the terminology so often messed-up?) but in all honesty the vast
> > majority of them aren't motivated by maliciousness so much as a desire to
> > see if it can be done.
>
> You mean the same sort of deliquent attitude that leads them to `tagging'
> public transport and `decorating' otherwise flat, empty croncrete walls ?
> What about shop lifting ?  Maybe I should get curious about murdering
> someone, try it out, just to see if I can get away with it.  A crime is
> a crime, no matter which way you try to look at it and teaching people
> the skills should also be frowned upon.  In something that recent legislation
> here in Australia brought up, it's against the law to publish a book which
> is instructional on committing a crime.  The Internet has changed all that
> with instructional pages on just about everything under the sun available.
> I don't know if it's the same elsewhere with books, but condoning the
> disemination of knowledge about how to break the law seems somehow flawed.

A crime is a crime and people should be punished if they commit them.
However information that MIGHT be used for a criminal purpose should
not be restricted.  IF you want to debate Australia's attempt to
regulate information thats another conversation entirely.  Suffice it
to say I don't believe the US should try to enforce their laws in 
other countries and I certainly see no reason to obey Australia's
laws in the US.


bjp () va pubnix com                       |  Disclaimer: Can you be sure I
Complete stranger                       |  even exist: Let alone represent
Brad Passwaters                         |  anyone or anything.
-------------------------------------------------------------------------------
    "The sooner you fall behind, the more time you will have to catch up"