Firewall Wizards mailing list archives
Re: Extreme Hacking
From: "Craig H. Rowland" <crowland () psionic com>
Date: Tue, 6 Jul 1999 00:49:51 -0500 (CDT)
So, the question arises: what other companies have such DBs?A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they
One leading justification I've run into is optimizing scanning systems for performance and thoroughness. Many new bugs are found by accident this way. IMHO.
tend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.
I don't think this is totally true. While I routinely tell people it is always easier to break something than to create it. I also know that knowing how to break software makes it easier to design tools that are harder to wreck. The problem is the social reward structure on the Internet is established to give more credit to those who discover problems, not those trying to fix them. It's easy to see what option people tend to choose first when given a choice.
What are they worth? And the real issue: is there anything in there you won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am.
No you're not. I'm writing an essay up on this very issue about an incident that sealed me in as a believer that some information needs to be earned and not just given away. This goes for many people in this field, not just consulting companies. Perhaps I'll send a link when it is complete.
Hacking isn't a technological problem, it's a social problem. As such, it's not going to be "solved" by technological means, but rather by social means. I'm pretty sure that the best way to reduce the amount of hacking is _not_ to glorify it, charge people money to learn it, and hire people as consultants for lots of money because they have hacking backgrounds. The only way I can think of to make hacking unattractive is to make it really really expensive when you get caught.
Amen. Additionally, you need to make it so that your chances of getting caught are high enough to no longer make it a game. We're approaching that era now, the golden days of hacking are dead and have been since the Internet went commercial. It isn't a game any more and people are starting to wake up to the fact that it isn't a cute prank to hack systems. I'm sure I'm not the only one who is sick of people hacking systems, getting caught, and then complaining that they are being treated unfairly. Well tough. You played the game poorly and you lost. Deal with it.
Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly. They've got deep pockets. We're working in a legal environment where gun manufacturers are sometimes held accountable for the actions of their guns - it should be a dead simple argument that E&Y should be held accountable for the actions of their hacking techniques, and/or anyone and everyone who has been through their training. Thought provoking, huh?
De Ja Vu! I was just having this discussion the other day (Hi Diana)! I think any security company releasing exploit information needs to really consider this as a possibility. IMHO, unless absolute gross negligence is proven on the part of the software development company with respect to the hole, I think most juries would hold the *security company* responsible for damages as a result of their actions. Before the comment comes up, no I don't think buffer overflows and other common problems are *gross* negligence. I consider them industry wide stupidity for relying on 1960's/1970's languages for 1990's software. We'll save that for another discussion though. The recent disclosure of the eEye IIS 4 hole is a perfect example of litigation waiting to happen against a security company. There are plenty of details there that show the security company acted irresponsibly (didn't wait for patch, released full working code, encouraged it's use by developing variants, etc.). Personally, if my website was attacked using their code I'd sue their pants off, but that's just me. This gets back to the open disclosure discussion, that is another (off topic) subject altogether.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
-- Craig
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Arjan Vos (Jul 05)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 06)
- Re: Extreme Hacking Ge' Weijers (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Ge' Weijers (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Crispin Cowan (Jul 13)
- Re: Extreme Hacking deab (Jul 06)
- Re: Extreme Hacking Paul Woodie (Jul 06)
- Re: Extreme Hacking Craig H. Rowland (Jul 06)
- Re: Extreme Hacking Crispin Cowan (Jul 08)
- Re: Extreme Hacking Craig H. Rowland (Jul 09)
- Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
- Re: Extreme Hacking Joseph S D Yao (Jul 12)
- Re: Extreme Hacking Craig H. Rowland (Jul 12)
- Re: Extreme Hacking Vanja Hrustic (Jul 09)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)