Firewall Wizards mailing list archives
Re: Extreme Hacking
From: Paul Woodie <paul_woodie () wcatrain com>
Date: Mon, 05 Jul 1999 19:20:23 -0400
I could not agree more with Marcus on this point. Hacking (or any other trespassing behaviour, for that matter) is primarily a social problem. And technological remedies are not the primary remedy to this situation. It is true that a good technological defense is needed (e.g., firewalls, host-based security, etc), but that is only a defense, not a remedy to the real problem. An understanding of the technology (of attacks -- hacking??) is helpful for those that are trying to defend, but they are probably always behind in their defenses compared to attacks. But the point remains, if I use a tool for a malicious/non-lawful purpose, I had better be prepared to bear the consequences of my actions (which should be quite severe). Paul Woodie "Marcus J. Ranum" wrote:
Ernst & young made headlines in TIME when they offered the first run fo their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to take home. The participants are somewhat screend by having to be referenced by local the local EY office. Recently, I was told attendees learn new exploits and hacks that we will probably only see out in the open in 1-2 years.I have to remain a little sceptical on this point. What I think they mean is that they invented a few tricks of their own, which they aren't planning on publishing -- they'll leak out pretty quickly, once the class has run a couple times. I find it hard to imagine that teaching something in a class is a good way to keep it a secret.So, the question arises: what other companies have such DBs?A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they tend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.What are they worth? And the real issue: is there anything in there you won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am. Hacking isn't a technological problem, it's a social problem. As such, it's not going to be "solved" by technological means, but rather by social means. I'm pretty sure that the best way to reduce the amount of hacking is _not_ to glorify it, charge people money to learn it, and hire people as consultants for lots of money because they have hacking backgrounds. The only way I can think of to make hacking unattractive is to make it really really expensive when you get caught. Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly. They've got deep pockets. We're working in a legal environment where gun manufacturers are sometimes held accountable for the actions of their guns - it should be a dead simple argument that E&Y should be held accountable for the actions of their hacking techniques, and/or anyone and everyone who has been through their training. Thought provoking, huh? I know a good ambulance chaser lawyer, who'll work for %33 of the take... mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Attachment:
paul_woodie.vcf
Description: Card for Paul Woodie
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
- Re: Extreme Hacking Arjan Vos (Jul 05)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 06)
- Re: Extreme Hacking Ge' Weijers (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Ge' Weijers (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Crispin Cowan (Jul 13)
- Re: Extreme Hacking deab (Jul 06)
- Re: Extreme Hacking Paul Woodie (Jul 06)
- Re: Extreme Hacking Craig H. Rowland (Jul 06)
- Re: Extreme Hacking Crispin Cowan (Jul 08)
- Re: Extreme Hacking Craig H. Rowland (Jul 09)
- Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
- Re: Extreme Hacking Joseph S D Yao (Jul 12)
- Re: Extreme Hacking Craig H. Rowland (Jul 12)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
- Re: Extreme Hacking Vanja Hrustic (Jul 09)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)