Re: Extreme Hacking

["Craig H. Rowland" <crowland () psionic com>]

> > So, the question arises: what other companies have such
> > DBs?
>
> A number of "reputable" security companies develop their
> own hacking techniques. I'm not sure what the justification
> is -- other than that it just comes naturally, since they

One leading justification I've run into is optimizing scanning systems for
performance and thoroughness. Many new bugs are found by accident this
way. IMHO. 

> tend to hire "ex-"hackers. It'd be unrealistic to expect
> those guys to stop thinking in terms of how systems are
> broken into, and to shift their thought-patterns into thinking
> about how to keep systems secure.

I don't think this is totally true. While I routinely tell people it is
always easier to break something than to create it. I also know that
knowing how to break software makes it easier to design tools that are
harder to wreck. The problem is the social reward structure on the
Internet is established to give more credit to those who discover
problems, not those trying to fix them. It's easy to see
what option people tend to choose first when given a choice.

> > What are they worth? And the real issue: is there anything in there you
> > won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.
>
> Am I the only person who has a problem with the idea of someone
> teaching hacking techniques? Sometimes I think I am.

No you're not. I'm writing an essay up on this very issue about an
incident that sealed me in as a believer that some information needs to be
earned and not just given away. This goes for many people in this
field, not just consulting companies. Perhaps I'll send a link when it is
complete.

> Hacking isn't a technological problem, it's a social problem.
> As such, it's not going to be "solved" by technological means,
> but rather by social means. I'm pretty sure that the best way
> to reduce the amount of hacking is _not_ to glorify it, charge
> people money to learn it, and hire people as consultants for
> lots of money because they have hacking backgrounds. The only
> way I can think of to make hacking unattractive is to make it
> really really expensive when you get caught.

Amen. Additionally, you need to make it so that your chances of getting
caught are high enough to no longer make it a game. We're approaching that
era now, the golden days of hacking are dead and have been since the
Internet went commercial. It isn't a game any more and people are starting
to wake up to the fact that it isn't a cute prank to hack systems.

I'm sure I'm not the only one who is sick of people hacking
systems, getting caught, and then complaining that they are being treated
unfairly. Well tough. You played the game poorly and you lost. Deal with
it. 

> Here's a thought: when one of us gets broken into using one
> of the secret new techniques that E&Y is teaching, let's
> sue E&Y for developing it and disclosing it irresponsibly.
> They've got deep pockets. We're working in a legal environment
> where gun manufacturers are sometimes held accountable for
> the actions of their guns - it should be a dead simple argument
> that E&Y should be held accountable for the actions of
> their hacking techniques, and/or anyone and everyone who
> has been through their training. Thought provoking, huh?

De Ja Vu! I was just having this discussion the other day (Hi Diana)! I
think any security company releasing exploit information needs to really
consider this as a possibility. IMHO, unless absolute gross negligence
is proven on the part of the software development company with respect to
the hole, I think most juries would hold the *security company* 
responsible for damages as a result of their actions. Before the comment
comes up, no I don't think buffer overflows and other common problems are
*gross* negligence. I consider them industry wide stupidity for relying on
1960's/1970's languages for 1990's software. We'll save that for another
discussion though.

The recent disclosure of the eEye IIS 4 hole is a perfect example of
litigation waiting to happen against a security company. There are plenty
of details there that show the security company acted irresponsibly
(didn't wait for patch, released full working code, encouraged it's use by
developing variants, etc.). Personally, if my website was attacked using
their code I'd sue their pants off, but that's just me. 

This gets back to the open disclosure discussion, that is another
(off topic) subject altogether.

> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr


-- Craig