Firewall Wizards mailing list archives
Re: Extreme Hacking
From: Arjan Vos <arjan () pino demon nl>
Date: Mon, 5 Jul 1999 23:55:37 +0200 (CEST)
On Mon, 5 Jul 1999, Marcus J. Ranum wrote:
Ernst & young made headlines in TIME when they offered the first run fo their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to take home. The participants are somewhat screend by having to be referenced by local the local EY office. Recently, I was told attendees learn new exploits and hacks that we will probably only see out in the open in 1-2 years.I have to remain a little sceptical on this point. What I think they mean is that they invented a few tricks of their own, which they aren't planning on publishing -- they'll leak out pretty quickly, once the class has run a couple times. I find it hard to imagine that teaching something in a class is a good way to keep it a secret.
I don't think they even invented a "few tricks of their own". I think they may have added some program which serves as a front-end for the exploits taken (and modified for integration with the program) from Packet Storm.... The E&Y CD surely is basically the same as the data Ken Williams got back from Harvard (he did... didn't he?). Also, they may have hacked together some tools for tunneling and spoofing attacks and maybe got some man-in-the-middle SSL attack code thrown in...
So, the question arises: what other companies have such DBs?A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they tend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.
There are companies offering vulnerability databases like ISS. But now there is a free one at www.securityfocus.com. Basically they do the same but the commercial ones may add some value by selecting the relevant vulnerability information for their clients.
What are they worth? And the real issue: is there anything in there you won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am. Hacking isn't a technological problem, it's a social problem. As such, it's not going to be "solved" by technological means, but rather by social means. I'm pretty sure that the best way to reduce the amount of hacking is _not_ to glorify it, charge people money to learn it, and hire people as consultants for lots of money because they have hacking backgrounds. The only way I can think of to make hacking unattractive is to make it really really expensive when you get caught.
Well, I really don't have much of a problem in teaching people hacking techniques - teaching hacking techniques to the right persons is like learning a man to fish instead of giving him one fish... However I do have a problem with glorifying hacking as the media tend to do it nowadays.
Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly. They've got deep pockets. We're working in a legal environment where gun manufacturers are sometimes held accountable for the actions of their guns - it should be a dead simple argument that E&Y should be held accountable for the actions of their hacking techniques, and/or anyone and everyone who has been through their training. Thought provoking, huh? I know a good ambulance chaser lawyer, who'll work for %33 of the take...
That says it all, actually. E&Y (and KPMG, and D&T, and PWC) wouldn't dare to give away or sell new techniques with their liability issues and such. OTOH, it might explain the $4.5K :-)) Gr. Arjan ---- Eat hard Sleep hard Wear glasses if you need them
Current thread:
- Extreme Hacking Kunz, Peter (Jul 05)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
- Re: Extreme Hacking Arjan Vos (Jul 05)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 06)
- Re: Extreme Hacking Ge' Weijers (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Ge' Weijers (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Crispin Cowan (Jul 13)
- Re: Extreme Hacking deab (Jul 06)
- Re: Extreme Hacking Paul Woodie (Jul 06)
- Re: Extreme Hacking Craig H. Rowland (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)