Firewall Wizards mailing list archives
Re: Extreme Hacking
From: deab () slack net
Date: Mon, 5 Jul 1999 23:14:56 -0400 (EDT)
A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they tend to hire "ex-"hackers.
Intrusion detection systems, such as are available for NFR, might be one justification for developing hacker technology. I would at least _hope_ the companies in the industry write exploit code to test their products.
It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.
I think those are one and the same.
Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am.
If I teach a customer how look for security problems in their C code, they can use the knowledge to fix bugs or they can use the knowledge to write exploits. Thinking about how systems are broken into is generally how we find and eliminate the human error factor. Computer security is an evolutionary process, with new bugs continually popping up and then getting fixed. <OpenBSD plug here>
Hacking isn't a technological problem, it's a social problem.
It's also an economic problem. It's also a political problem. I think by limiting your threat model to script kids and E&Y class takers you're leaving out a big piece of the pie. I happen to do penetration testing for one of those reputable companies you spoke of. All the companies I've worked with were much more worried about proprietary data being stolen than about their web pages being defaced. Industrial spying is not a 'social problem' that can be fixed without a major change in the world's current nation/state model.
Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly.
I think it's unfortunate to suggest that. I would hope our ability to communicate computer security knowledge is a protected form of expression. At this point, however, I wouldn't be surprised to see a ban on the export of computer security information (exploits) as a potential munition. Cheers, Daniel
Current thread:
- Extreme Hacking Kunz, Peter (Jul 05)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
- Re: Extreme Hacking Arjan Vos (Jul 05)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 06)
- Re: Extreme Hacking Ge' Weijers (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Ge' Weijers (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Crispin Cowan (Jul 13)
- Re: Extreme Hacking deab (Jul 06)
- Re: Extreme Hacking Paul Woodie (Jul 06)
- Re: Extreme Hacking Craig H. Rowland (Jul 06)
- Re: Extreme Hacking Crispin Cowan (Jul 08)
- Re: Extreme Hacking Craig H. Rowland (Jul 09)
- Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
- Re: Extreme Hacking Joseph S D Yao (Jul 12)
- Re: Extreme Hacking Craig H. Rowland (Jul 12)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
- Re: Extreme Hacking Vanja Hrustic (Jul 09)