Re: Extreme Hacking

[Brad J Passwaters <bjp () eng us uu net>]

On Fri, 9 Jul 1999, Darren Reed wrote:

> > Knowing that running program A will get you a root shell
> > does not help you secure your system.
>
> Right.  Glad you could say that again for me.

Your welcome - FYI it was the best may to make clear
my point based on your comment.  All my other attempts ran into 
"pronoun trouble"
 
> > Understanding that 
> > service FOO is vulnerable to a buffer-overflow due to a poor
> > choice of system calls is quite useful.
>
> Perhaps, if you can exploit other services which use that "system call".
> But how does that help you secure the system, though ?  You can determine
> that a bunch of services which you need to run are security problems
> which you've otherwise got no control over ?

While this view of audits is necessary it may not be sufficient.
Seeing examples of these types of exploits can allow one to look
for them in code or even trace out of running programs.

> > I would hope that 
> > a security class would teach more than how to be a script kiddie.
>
> You can teach people about configuration mistakes, etc, without exploiting
> them.

umm exploiting whom, the people or the conguration mistakes? Or did you
mean you could teach them with out showing them exploits?

> What we're dealing with here isn't just a "security class" but one which
> claims to teach people `new' hacking techniques.  I'd be happier if they
> just tought them how to do a _proper_ audit of a computer system but maybe
> that's being too unfashionable and too demanding.  Afterall, this is what
> the class is meant to be in aide of, right ?

I don't know what the class teaches I have not gone to it.  I am of the
opinion they have the right to teach both.  Keep in mind that I think
we are judging all this off a piece of (ahem) "marketing literature".
 
> > > But E&Y aren't teaching you how to secure a system, they're teaching you
> > > how to commit a crime, unless breaking into systems isn't a crime where
> > > they're taking those classes.
> >
> > They are not teaching you how to commit a crime.
>
> It's a strange game when people justify teaching criminal skills in
> order to perform `real' work.  But is that what are they doing then ?
> Teaching you how to audit a system by giving instructions on how to
> attempt to break in ?

I guess the only way to win is not to play :)

It is a skill, IF and only IF it is used to commit a crime 
is it a criminal skill. The leap that because criminals use a
skill its a criminal skill is a dangrous one.
 
> A proper audit should uncover anything that a penetration test can and
> more.
> I can rig a system up on the internet which nobody can break into but is
> full of security holes.  No penetration testing will discover that but a
> person who does a proper audit of the system is more than likely to.
> This is more of a reflection of the attitude taken towards computer
> security as a whole as well as the relative immaturity within the
> industry itself, although there are signs of change around.

This is not (on my part) a debate of penetration test vs audits.
It is not a one or the other situation.  Also I believe that a working
knowledge of exploits when combined with a knowledge of the OS and an
understanding of basic security principles can make an audit better.

> > Most knowledge can be used to commit a crime.  High speed precision
> > driving could be used to break traffic laws.
>
> Hopefully those people also learn "defensive driving" too and know how to
> make the best of bad situations and lessen the death statitics on roads
> should they happen to be in such a predicament.  But since when do you
> need to do "high speed precision driving" to do 80 in a 60 zone ? >:->
>
> > Any training with firearms could be used to kill or injure.
>
> Just don't forget the paperclip!
>
> > Books and information on lockpicking should certainly be outlawed.
>
> I'm sure that'd upset folks at MIT :>

The point is that much knowledge is dangerous and many people
believe that alot of it serves no purpose and should not be conveyed
but I don't agree.  
 
> > > You mean the same sort of deliquent attitude that leads them to `tagging'
> > A crime is a crime and people should be punished if they commit them.
>
> But is it responsible to actively teach people such skills and advertise
> courses as having that as the objective ?  Why make it easier or even
> encourage people to commit crimes ?

Yes. I don't believe the class encourages people to commit crimes.
As far as the why make it easier part, because in my opinion 
it is less evil then saying "this knowledge is banned".
 
> It's an interesting part of the computer industry, penetration testing,
> that it requires the application of skills which, outside authorised use,
> are criminal skills.

There are a number of jobs like that:

Locksmith,tow truck driver,policeman,fireman,doctor,soldier etc etc.

I think audits/basic security practices/OS internals all have
a place in the toolbelt of security folks.  I also think classes
that talk about exploits and classes about ethics/law are valid.

Brad