Re: Extreme Hacking

[dreamwvr <dreamwvr () dreamwvr com>]

hi all,
> > Knowing the potential vulnerabilities of a system is the first step towards
> > making it secure.  It's even better if you can get ahead of the curve and
> > discover new methods of breaking into a system that aren't yet public
> > knowledge -- your systems will be that much more secure.  Who better to
> > secure a system against crackers than a cracker, provided you trust them?
i would have to agree here that is why apparently janet reno hired some to 
test some .gov networks fairly recently. you need IMHO a person that thinks 
like a hacker to protect your networks. This is something i was accused of 
when going to school many years ago:-{ The mentality of many system admins 
is that if you think like a hacker you are a hacker. To many this is down
right wrong and will disuade many that could otherwise contribute to refrain
simply from past experience. having said that the mindset of many
administrators
must change if there is even the foggiest hope of 'some more' security than
exists today. How many times have you had the individual with can piss the 
farthest get more in the way of your mission than assist simply due to no
understanding in this arena. With the result that we are all lesser for it:-(
> Knowing how to break into a system does not provide knowledge in making it
> secure.  Whilst there is definately some feedback between the two, one does
> not imply the other.  For example, how does knowing to run program B with
> host X as the target, resulting in shell access help me in securing it ?
> Disabling and removing what ever is responsible for allowing program B to
> work is not an acceptable answer.
yes but if you are able to demonstrate or articulate the exploits this 
will often be enough to get upper management to sign on a project. otherwise
it is simply another story that they will balance off according to the 
tangible effect on their bottom line. let me ask you this? how many of 
the consultants truly have carte blanc? So as a result we all lose in 
batting down the hatches;-} i guess what i am saying is heresay is often
taken lightly without tangible proof. Also the decision makers are constantly 
being bombarded with propaganda from every selling of snake oil to the 
fountain of youth..:-/
> > See above.  It's one thing to teach someone how to secure a system, but if
> > they don't know *why* what they're doing will secure it or further be able
> > to notice other vulnerabilities in the system that weren't pointed out to
> > them then at best they will be a second-rate security expert.
i would agree here that the need is to understand the "Why 4 HOW COME"
most times IMHO if you don't understand the problem you can't really 
come up with a good solution. probably the best security is the virtual 
network though which i gather most of us are running 2 at this time;-)
so how can we improve be remaining flexible. i do think though that many 
that take this wallet thinner will be more enlightened as they would not 
take a course like that unless they were having difficulty in understanding 
what they were protecting against. E&&Y is simply riding the wave of 
insecurity that the corporate world is dealing with right now. I am not 
so sure that if i were a public company i could resist the temptation as 
well. After all they do have to keep their shareholders happy don't they.
What depresses me often times is the impression that if you are the 
'Golden Arches' you make a better burger || for that mater know how;-(}
> But E&Y aren't teaching you how to secure a system, they're teaching you
> how to commit a crime, unless breaking into systems isn't a crime where
> they're taking those classes.
how much can they truly teach in a few day course? how long did it take you
to understand the problems with TCP/IP ? How long did it take you to
understand 
what is occuring under the surface in UNIX? if you are anything like me it 
surely wasn't overnight and i am still learning something pretty much
everyday.
IMHO if your not your dead in the water.. 
> > I also don't mean to glamorize crackers (hackers are people that write
code,
> > why is the terminology so often messed-up?) but in all honesty the vast
> > majority of them aren't motivated by maliciousness so much as a desire to
> > see if it can be done.
again i would agree here there are many... many that are simply interested 
in how the system gets the work done. inquiring minds want to know. since 
hollywierd has obfisciated for the masses the original concept of the hacker 
as opposed to the cracker we are left with a even more confused public. They
often think they are the experts since they saw it on 'investgative reports' 
&& i didn't since i was hiding behind one of my cpus at the time;-]
In something that recent legislation
> here in Australia brought up, it's against the law to publish a book which
> is instructional on committing a crime.  The Internet has changed all that
> with instructional pages on just about everything under the sun available.
> I don't know if it's the same elsewhere with books, but condoning the
> disemination of knowledge about how to break the law seems somehow flawed.
that is what democracy is about. freedom to choose either wrongly or
otherwise.
where does it end when we all have a invisible tattoo on our forehead? 
that is a bit hypocritical as well considering that Australia in recent
history
used to check the palms and eyes of all immigrants to determine whether they 
were acceptable. i surely won't go further on that line. then again i saw 
that one on a recent documentary so maybe that too is a story:-} Somehow i 
doubt it.. Ever Read Fahrenheit 251? enough said.. 
                                                                Regards,
                                                                dreamwvr () dreamwvr com 
Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
  TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
           <http://www.dreamwvr.com/services/MAX_SEC.html>
   DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
 -> Linux-Mandrake Solution Provider and North American Distributor <-
        <http://www.dreamwvr.com/mandrake/mandrake-dist.html>
  "As Unique as the Company You Keep."        "===0 PGP Key Available  
________________________________________________________________________