Firewall Wizards mailing list archives
Re: Extreme Hacking
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 9 Jul 1999 14:44:14 +1000 (EST)
In some email I received from Brad J Passwaters, sie wrote:
On Wed, 7 Jul 1999, Darren Reed wrote:Knowing how to break into a system does not provide knowledge in making it secure. Whilst there is definately some feedback between the two, one does not imply the other. For example, how does knowing to run program B with host X as the target, resulting in shell access help me in securing it ? Disabling and removing what ever is responsible for allowing program B to work is not an acceptable answer.Knowing that running program A will get you a root shell does not help you secure your system.
Right. Glad you could say that again for me.
Understanding that service FOO is vulnerable to a buffer-overflow due to a poor choice of system calls is quite useful.
Perhaps, if you can exploit other services which use that "system call". But how does that help you secure the system, though ? You can determine that a bunch of services which you need to run are security problems which you've otherwise got no control over ?
I would hope that a security class would teach more than how to be a script kiddie.
You can teach people about configuration mistakes, etc, without exploiting them. What we're dealing with here isn't just a "security class" but one which claims to teach people `new' hacking techniques. I'd be happier if they just tought them how to do a _proper_ audit of a computer system but maybe that's being too unfashionable and too demanding. Afterall, this is what the class is meant to be in aide of, right ?
Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am.See above. It's one thing to teach someone how to secure a system, but if they don't know *why* what they're doing will secure it or further be able to notice other vulnerabilities in the system that weren't pointed out to them then at best they will be a second-rate security expert.But E&Y aren't teaching you how to secure a system, they're teaching you how to commit a crime, unless breaking into systems isn't a crime where they're taking those classes.They are not teaching you how to commit a crime.
It's a strange game when people justify teaching criminal skills in order to perform `real' work. But is that what are they doing then ? Teaching you how to audit a system by giving instructions on how to attempt to break in ? A proper audit should uncover anything that a penetration test can and more. I can rig a system up on the internet which nobody can break into but is full of security holes. No penetration testing will discover that but a person who does a proper audit of the system is more than likely to. This is more of a reflection of the attitude taken towards computer security as a whole as well as the relative immaturity within the industry itself, although there are signs of change around.
Most knowledge can be used to commit a crime. High speed precision driving could be used to break traffic laws.
Hopefully those people also learn "defensive driving" too and know how to make the best of bad situations and lessen the death statitics on roads should they happen to be in such a predicament. But since when do you need to do "high speed precision driving" to do 80 in a 60 zone ? >:->
Any training with firearms could be used to kill or injure.
Just don't forget the paperclip!
Books and information on lockpicking should certainly be outlawed.
I'm sure that'd upset folks at MIT :> [...]
You mean the same sort of deliquent attitude that leads them to `tagging' public transport and `decorating' otherwise flat, empty croncrete walls ? What about shop lifting ? Maybe I should get curious about murdering someone, try it out, just to see if I can get away with it. A crime is a crime, no matter which way you try to look at it and teaching people the skills should also be frowned upon. In something that recent legislation here in Australia brought up, it's against the law to publish a book which is instructional on committing a crime. The Internet has changed all that with instructional pages on just about everything under the sun available. I don't know if it's the same elsewhere with books, but condoning the disemination of knowledge about how to break the law seems somehow flawed.A crime is a crime and people should be punished if they commit them.
But is it responsible to actively teach people such skills and advertise courses as having that as the objective ? Why make it easier or even encourage people to commit crimes ? It's an interesting part of the computer industry, penetration testing, that it requires the application of skills which, outside authorised use, are criminal skills. Darren
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Vanja Hrustic (Jul 06)
- Re: Extreme Hacking Dick Brooks (Jul 06)
- Re: Extreme Hacking Jody C. Patilla (Jul 07)
- Re: Extreme Hacking ark (Jul 06)
- Re: Extreme Hacking Ryan Russell (Jul 06)
- Re: Extreme Hacking Rafi Sadowsky (Jul 09)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Rafi Sadowsky (Jul 09)
- RE: Extreme Hacking sean . kelly (Jul 06)
- Re: Extreme Hacking Darren Reed (Jul 08)
- Re: Extreme Hacking Brad J Passwaters (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Brad J Passwaters (Jul 12)
- Re: Extreme Hacking Bennett Todd (Jul 13)
- Re: Extreme Hacking Darren Reed (Jul 08)
- Re: Extreme Hacking Tommy Ward (Jul 12)
- Re: Extreme Hacking dreamwvr (Jul 12)
- Re: Extreme Hacking James Burns (Jul 12)
- RE: Extreme Hacking George Jones (Jul 12)
- Message not available
- RE: Extreme Hacking Jody C. Patilla (Jul 12)
- RE: Extreme Hacking char sample (Jul 12)
- RE: Extreme Hacking mht (Jul 12)