Firewall Wizards mailing list archives
RE: Extreme Hacking
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Wed, 7 Jul 1999 08:14:01 -0700
-----Original Message----- From: Craig H. Rowland [SMTP:crowland () psionic com] Sent: Tuesday, July 06, 1999 1:50 AM To: Marcus J. Ranum Cc: Kunz, Peter; firewall-wizards () nfr net Subject: Re: Extreme Hackingtend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.I don't think this is totally true. While I routinely tell people it is always easier to break something than to create it. I also know that knowing how to break software makes it easier to design tools that are harder to wreck. The problem is the social reward structure on the Internet is established to give more credit to those who discover problems, not those trying to fix them. It's easy to see what option people tend to choose first when given a choice.
Wait a minute. What choice do I have if I am a consumer of a security product? Unless its "open-source" I can't go in and fix it myself if I find a problem! I have to depend on my vendor to do so, and risk vendor apathy, instituted processes for handling such alarms, and other inordinate delays in receiving a fix. The problem isn't some contrived social reward structure as much as it is simply an illustration of the vast number of consumers opposed to vendors, and the normal tensions therein. You don't see Linus Torvalds or Alan Cox bitching about the fact that five HUNDRED thousand code kiddies are writing and actively exploiting vulnerabilities in their operating systems or the services that run on it, despite the fact that their code powers as many if not more web servers than NT does. Where is the reward structure for picking out vulnerabilities that are sitting right in front of your face? But I digress... :-)
Hacking isn't a technological problem, it's a social problem.Amen. Additionally, you need to make it so that your chances of getting caught are high enough to no longer make it a game. We're approaching that era now, the golden days of hacking are dead and have been since the Internet went commercial. It isn't a game any more and people are starting to wake up to the fact that it isn't a cute prank to hack systems. I'm sure I'm not the only one who is sick of people hacking systems, getting caught, and then complaining that they are being treated unfairly. Well tough. You played the game poorly and you lost. Deal with it.
And I am just as sick of vendors rushing crappy products to market and not taking sufficient means to code them correctly, then turning around and complaining that because some pimple-faced lad spilled the beans about some hideous bug in their mission-critical code before they had means to implement sufficient damage control. When you supposedly sell me the world's fastest, most secure web-serving platform for enterprises you had damn well better live up to your expectations. You reap what you sew. I find myself agreeing with what you say here for the most part. The stakes are much larger and the sides are definitely much more polarized. I definitely think today's hacker much more than yesteryear's is out for the cheap thrill rather than the purely philosophical or scholarly pursuit. That having been said - hacking is definitely an illustration of a social problem - the perceived disparity between the individual and the corporate entity, the "system" or "the man." Half of the thrill might be in the discovery, but the other, greater half of the thrill is knowing that as an individual you've beaten some much larger entity. No vendor consortium with secret handshakes will ever destroy that simple, basic principle. In fact, you could make a case that such consortiums only exacerbate the problem, not destroy it. Can you imagine what would happen if CERT just started out as full disclosure, instead of running a parallel, super-secret full disclosure forum amongst the few security professionals at the time with Zardoz?
This gets back to the open disclosure discussion, that is another (off topic) subject altogether.
Absolutely! Save that discussion for another day ;-)
-- Craig
Matt LeGrow
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Bennett Todd (Jul 13)
- Re: Extreme Hacking Tommy Ward (Jul 12)
- Re: Extreme Hacking dreamwvr (Jul 12)
- Re: Extreme Hacking James Burns (Jul 12)
- RE: Extreme Hacking George Jones (Jul 12)
- Message not available
- RE: Extreme Hacking Jody C. Patilla (Jul 12)
- RE: Extreme Hacking Frank W. Keeney (Jul 07)
- RE: Extreme Hacking char sample (Jul 12)
- RE: Extreme Hacking mht (Jul 12)
- RE: Extreme Hacking char sample (Jul 12)
- Re: Extreme Hacking Matt McClung (Jul 07)
- RE: Extreme Hacking LeGrow, Matt (Jul 09)
- RE: Extreme Hacking sean . kelly (Jul 09)
- Re: Extreme Hacking Chris St.Clair (Jul 12)
- RE: Extreme Hacking sean . kelly (Jul 12)
- Re: Extreme Hacking Alan Lustiger (Jul 12)
- Re: Re: Extreme Hacking MI DC (Jul 12)
- Re: Re: Extreme Hacking MI DC (Jul 12)
- Re: Extreme Hacking Dwcpride (Jul 12)
- Extreme Hacking Budke (Jul 12)