Re: Extreme Hacking

[Arjan Vos <arjan () pino demon nl>]

On Mon, 5 Jul 1999, Marcus J. Ranum wrote:

> > Ernst & young made headlines in TIME when they offered the first run fo
> > their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to
> > take home. The participants are somewhat screend by having to be referenced
> > by local the local EY office. Recently, I was told attendees learn new
> > exploits and hacks that we will probably only see out in the open in 1-2
> > years.
>
> I have to remain a little sceptical on this point. What I think
> they mean is that they invented a few tricks of their own, which
> they aren't planning on publishing -- they'll leak out pretty
> quickly, once the class has run a couple times. I find it hard
> to imagine that teaching something in a class is a good way
> to keep it a secret.

I don't think they even invented a "few tricks of their own". I think they
may have added some program which serves as a front-end for the exploits
taken (and modified for integration with the program) from Packet
Storm.... The E&Y CD surely is basically the same as the data Ken Williams
got back from Harvard (he did... didn't he?).

Also, they may have hacked together some tools for tunneling and spoofing
attacks and maybe got some man-in-the-middle SSL attack code thrown in...

> > So, the question arises: what other companies have such
> > DBs?
>
> A number of "reputable" security companies develop their
> own hacking techniques. I'm not sure what the justification
> is -- other than that it just comes naturally, since they
> tend to hire "ex-"hackers. It'd be unrealistic to expect
> those guys to stop thinking in terms of how systems are
> broken into, and to shift their thought-patterns into thinking
> about how to keep systems secure.

There are companies offering vulnerability databases like ISS. But now
there is a free one at www.securityfocus.com. Basically they do the same
but the commercial ones may add some value by selecting the relevant
vulnerability information for their clients.

> > What are they worth? And the real issue: is there anything in there you
> > won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.
>
> Am I the only person who has a problem with the idea of someone
> teaching hacking techniques? Sometimes I think I am.
>
> Hacking isn't a technological problem, it's a social problem.
> As such, it's not going to be "solved" by technological means,
> but rather by social means. I'm pretty sure that the best way
> to reduce the amount of hacking is _not_ to glorify it, charge
> people money to learn it, and hire people as consultants for
> lots of money because they have hacking backgrounds. The only
> way I can think of to make hacking unattractive is to make it
> really really expensive when you get caught.

Well, I really don't have much of a problem in teaching people hacking
techniques - teaching hacking techniques to the right persons is like
learning a man to fish instead of giving him one fish... However I do have
a problem with glorifying hacking as the media tend to do it nowadays.

> Here's a thought: when one of us gets broken into using one
> of the secret new techniques that E&Y is teaching, let's
> sue E&Y for developing it and disclosing it irresponsibly.
> They've got deep pockets. We're working in a legal environment
> where gun manufacturers are sometimes held accountable for
> the actions of their guns - it should be a dead simple argument
> that E&Y should be held accountable for the actions of
> their hacking techniques, and/or anyone and everyone who
> has been through their training. Thought provoking, huh?
> I know a good ambulance chaser lawyer, who'll work for %33
> of the take...

That says it all, actually. E&Y (and KPMG, and D&T, and PWC) wouldn't dare
to give away or sell new techniques with their liability issues and such.
OTOH, it might explain the $4.5K :-))

Gr. Arjan

----
Eat hard
Sleep hard
Wear glasses if you need them