Re: Security Industry Under Scrutiny

["yossarian" <yossarian () planet nl>]

You have a clear point here. Knowing the enemy is essential.

But looking at it statistically, there are a lot of criminally inclined
people, but only very few spies. People in intelligence are usually very
dedicated but dull professionals, and would hardly qualify for this
definition of spies. Most people in the CIA do deskjobs, and even in more
exciting outfits like the Mossad or the Sureté, the majority of the work is
gathering information by munching paper and wiretaps, hardly any James Bond
or Reilly stuff. Maybe the people disappointed in intelligence work become
hackers - nah, just kidding. These narcissistic, paranoid, antisocial etc,
people do exist, but I doubt if there are many. And only few of them will be
into computers, since this type of person has a wide range of career
opportunities - politician, lawyer, actor, football, boxing, but to name a
few.

If you are reffering to industrial espionage, this is a different case. But
for that hacking on a network is much less effective than some social
engineering and financial lubrication, or Carnivore. And again, the computer
security industry which is supposedly under scrutiny, rarely touches on this
and comparable issues - it is fighting viruses and selling VPN's to spend
less money on dial in servers and phone lines, using encryption that
dedicated ASIC machines can break in a few minutes. Yes, but only
governments have the budgets required, so there is no problem.

Look at the revenues - the other parts of IT security is peanuts. MSSP's
would boom said Gartner - didn't happen. PKI would rule, hasn't happened in
over 20 years. AAA and personalisation would be the next killer app - it
ain't happening. Securing the DNS system should be issue nr.1, they said.
Nothing changed. Bin Laden would launch major cyberattacks in a matter of
weeks - again nothing. Everyone would go Common Criteria or ISO17799. They
don't. Tons of money have been invested to cash in on these things - wasted.
Real things happened in security, but not in information security. Like I
said
in my previous posting in this discussion, maybe we are just not that
important. Hence, the discussion about blackhats and whitehats cannot be
that important. It does prove that in the IT security business we are
narcissistic
and paranoid - just looking at our own small world, getting status by
pointing out the risks to any one listening, seeing dangers under the bed.

Apparantly some intelligence outfits do industrial or commercial
espionage with computers - like the dutch version of the NSA, the AIVD,
reported. But the bad guys referred to are the americans (the advice was not
use major software companies' software because it might be contain backdoors
and you don't get the source, and since most major software companies are
american ..., well, you get it).

Yes I am paranoid, but I work in the IT security industry, so that doesn't
count. I write long postings on this list, so I probably am narcissistic. My
colleagues tell me I am anti-social. Yes, you are right, the espionage prone
type will work in the industry.

I think the scrutiny should be: why doesn't the industry go for the real
issues in information security. My guess is because they cannot be solved
with a computer program. Basically we are just IT people selling another
type of programs. It truly is like the cartoon said: e-business didn't work,
Y2k is over, let's do security. So we hype and hyperventilate. And we are
missing the real issues.

----- Original Message -----
From: "ratel" <ratel () mailvault com>
To: <>
Sent: Wednesday, January 22, 2003 9:35 PM
Subject: [Full-disclosure] Security Industry Under Scrutiny #4


> -----BEGIN PGP SIGNED MESSAGE-----
>
> > Interesting point -  the motives of the criminal. The motives are part
> of
> > the key to this problem, the other part is effectiviness. The essence
> is -
> > for a criminal - is making crime pay, like Perry managed, and get away
> with
> > it, where Perry flunked.
>
> The main problem with the rest of your post is that you're trying to
> equate the psychology of hacking with the psychology of crime when a far
> more appropriate analogy is the PSYCHOLOGY OF ESPIONAGE. A substantial
> overlap with the common criminal to be sure, but an entirely different
> kind of beast. I like to think so, anyway. Did you know that people
> prone to espionage overwhelmingly share an unusual combination of three
> personality disorders: narcissistic, antisocial and paranoid.
> Narcissistic, antisocial and paranoid? Imagine that! Sound like anybody
> you know in the security business, hmmm? heh.
>
> There's a huge body of literature out there on this you can find on your
> own, if it interests you, knock yourself out: you might be surprised at
> what you come up with. Here's a start--a lot of great information which
> also has the added benefit of being unintentionally funny as hell...
> http://www.dss.mil/nf/adr/. As far as I'm concerned, the only difference
> between sophisticated hackers and high-impact spies is a matter of the
> environment they find themselves in. Likewise, script kiddie carders
> correspond to dumb grunts caught selling secrets to make a fast buck.
> Etc. etc. draw your own parallels.
>
> Is it any coincidence that that Robert Hanssen was planning on taking a
> job in the computer security industry?
>
> I think not.
>
> Ratel.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com
>
> iQA/AwUAPi8AXOYNtyh3zif9EQIpnQCfZ61wTbxSoW2LSTYLrJuXy2RmdCAAoKU+
> T7VqUwAVLKw6ySON1Apcya1y
> =h1DV
> -----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html