Firewall Wizards mailing list archives
RE: Extreme Hacking
From: sean.kelly () lanston com
Date: Wed, 7 Jul 1999 12:18:52 -0400
From: Darren Reed [mailto:darrenr () reed wattle id au]Knowing the potential vulnerabilities of a system is thefirst step towardsmaking it secure. It's even better if you can get ahead ofthe curve anddiscover new methods of breaking into a system that aren'tyet publicknowledge -- your systems will be that much more secure.Who better tosecure a system against crackers than a cracker, providedyou trust them? Knowing how to break into a system does not provide knowledge in making it secure. Whilst there is definately some feedback between the two, one does not imply the other. For example, how does knowing to run program B with host X as the target, resulting in shell access help me in securing it ? Disabling and removing what ever is responsible for allowing program B to work is not an acceptable answer.
I think our understanding of "how to break into a system" is different. You are referring to the script-kiddies: people who have no actrual understanding of how to break into a system beyond that running X program will gain them entry. I am referring to knowledgeable crackers -- people with a thorough understanding of the inner-workings of the hardware/software/network/whatever and consciously and methodically exploting weaknesses in the platforms. ie. I'm referring to the people thgat wrote the scripts in the first place. In my example, knowing how to break into a system equates to a great degree with knowing how to secure it. In your example, as you pointed out, it does not.
Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am.See above. It's one thing to teach someone how to secure asystem, but ifthey don't know *why* what they're doing will secure it orfurther be ableto notice other vulnerabilities in the system that weren'tpointed out tothem then at best they will be a second-rate security expert.But E&Y aren't teaching you how to secure a system, they're teaching you how to commit a crime, unless breaking into systems isn't a crime where they're taking those classes.
It is debatable whether a break-in implicitly constitutes a crime, and in what circumstances. Computer law is weird like that. Beyond the purely philosophical argument, there are a whole lot of ex-crackers out there that perform security evaluations for companies by attempting to break into them. This is a valid and valuable service for which there must be some kind of allowable training if it is to continue.
I also don't mean to glamorize crackers (hackers are peoplethat write code,why is the terminology so often messed-up?) but in allhonesty the vastmajority of them aren't motivated by maliciousness so muchas a desire tosee if it can be done.You mean the same sort of deliquent attitude that leads them to `tagging' public transport and `decorating' otherwise flat, empty croncrete walls ? What about shop lifting ? Maybe I should get curious about murdering someone, try it out, just to see if I can get away with it.
You misunderstand me. Breaking into a system does not imply any sort of theft or vandalism, and certainly nothing close to murder. While it is a pain in the butt for security people who must then do a lot of work to make sure it doesn't happen the same way again, a break-in itself is not an actively malicious act.
A crime is a crime, no matter which way you try to look at it and teaching people the skills should also be frowned upon. In something that recent legislation here in Australia brought up, it's against the law to publish a book which is instructional on committing a crime.
Again we return to one of the critical questions: internet law. What constitues a crime and how can those crimes be prosecuted internationally? Should a country refuse to sell books about things that aren't a crime in their country if they might be a crime in another country? What if someone orders a copy of the book and has it shipped to them? What if this country has a copy of the book on the internet?
The Internet has changed all that with instructional pages on just about everything under the sun available.
This has been the case for a long time. I ran a BBS back in the early 80's and all this information was a phonecall away even back then. The recent popularization of the internet has just increased the percentage of people with access to the information -- something that can be neither helped or prevented. If the instructions are burned, some smart kids are just going to figure it all out again. I'm a programmer by trade, and if I was interested enough, I could figure much of it out from scratch also -- no "how-to" books needed. Kind of like how an engineer has the skills needed to figure out how to demolish a building and have it fall straight-down instead of toppling sideways (which is also done regularly).
I don't know if it's the same elsewhere with books, but condoning the disemination of knowledge about how to break the law seems somehow flawed.
It might be, but law is a sticky issue, and the internet is still very new territory as far as law is concerned. Further, it's essentially impossible to control the dissemination of knowledge, especially now that the internet exists. It's one thing not to condone the dissemination of knowledge, it's another to prevent it. If the issue is E&Y's course -- they're preventing the average kid from gaining the knowledge just by charging the $5000 pricetag for the course. Besides, I'd be willing to bet that much of the content from the course has been gleaned from various sources on the internet anyway. Most of these courses are a tad behind-the-curve as far as the cutting-edge of whatever is concerned. People pay the obscene amounts of money to have it encapsulated for them because they can't afford to spend the time to go and find it on their own. Sean
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Tommy Ward (Jul 12)
- Re: Extreme Hacking dreamwvr (Jul 12)
- Re: Extreme Hacking James Burns (Jul 12)
- RE: Extreme Hacking George Jones (Jul 12)
- Message not available
- RE: Extreme Hacking Jody C. Patilla (Jul 12)
- RE: Extreme Hacking Frank W. Keeney (Jul 07)
- RE: Extreme Hacking char sample (Jul 12)
- RE: Extreme Hacking mht (Jul 12)
- RE: Extreme Hacking char sample (Jul 12)
- Re: Extreme Hacking Matt McClung (Jul 07)
- RE: Extreme Hacking LeGrow, Matt (Jul 09)
- RE: Extreme Hacking sean . kelly (Jul 09)
- Re: Extreme Hacking Chris St.Clair (Jul 12)
- RE: Extreme Hacking sean . kelly (Jul 12)
- Re: Extreme Hacking Alan Lustiger (Jul 12)
- Re: Re: Extreme Hacking MI DC (Jul 12)
- Re: Re: Extreme Hacking MI DC (Jul 12)
- Re: Extreme Hacking Dwcpride (Jul 12)
- Extreme Hacking Budke (Jul 12)