Firewall Wizards mailing list archives

Re: Extreme Hacking

From: deab () slack net
Date: Mon, 5 Jul 1999 23:14:56 -0400 (EDT)

A number of "reputable" security companies develop their
own hacking techniques. I'm not sure what the justification
is -- other than that it just comes naturally, since they
tend to hire "ex-"hackers.


Intrusion detection systems, such as are available for NFR,
might be one justification for developing hacker technology.
I would at least _hope_ the companies in the industry write exploit
code to test their products.

It'd be unrealistic to expect
those guys to stop thinking in terms of how systems are
broken into, and to shift their thought-patterns into thinking
about how to keep systems secure.


I think those are one and the same.

Am I the only person who has a problem with the idea of someone
teaching hacking techniques? Sometimes I think I am.


If I teach a customer how look for security problems in their C code,
they can use the knowledge to fix bugs or they can use the knowledge
to write exploits.  Thinking about how systems are broken into is
generally how we find and eliminate the human error factor.  Computer
security is an evolutionary process, with new bugs continually
popping up and then getting fixed. <OpenBSD plug here>

Hacking isn't a technological problem, it's a social problem.


It's also an economic problem.  It's also a political problem.
I think by limiting your threat model to script kids and
E&Y class takers you're leaving out a big piece of the pie.
I happen to do penetration testing for one of those reputable
companies you spoke of.  All the companies I've worked with
were much more worried about proprietary data being stolen
than about their web pages being defaced.  Industrial spying
is not a 'social problem' that can be fixed without a major change
in the world's current nation/state model.

Here's a thought: when one of us gets broken into using one
of the secret new techniques that E&Y is teaching, let's
sue E&Y for developing it and disclosing it irresponsibly.


I think it's unfortunate to suggest that.  
I would hope our ability to communicate computer security knowledge
is a protected form of expression.  At this point, however, I wouldn't
be surprised to see a ban on the export of computer security
information (exploits) as a potential munition.

Cheers,
Daniel

Current thread:

Extreme Hacking Kunz, Peter (Jul 05)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
  - Re: Extreme Hacking Arjan Vos (Jul 05)
  - Re: Extreme Hacking Aleph One (Jul 06)
    - Re: Extreme Hacking Marcus J. Ranum (Jul 06)
  - Re: Extreme Hacking Ge' Weijers (Jul 06)
    - Re: Extreme Hacking Marcus J. Ranum (Jul 12)
    - Re: Extreme Hacking Ge' Weijers (Jul 12)
    - Re: Extreme Hacking Darren Reed (Jul 12)
    - Re: Extreme Hacking Crispin Cowan (Jul 13)
  - Re: Extreme Hacking deab (Jul 06)
  - Re: Extreme Hacking Paul Woodie (Jul 06)
  - Re: Extreme Hacking Craig H. Rowland (Jul 06)
    - Re: Extreme Hacking Crispin Cowan (Jul 08)
    - Re: Extreme Hacking Craig H. Rowland (Jul 09)
    - Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
    - Re: Extreme Hacking Joseph S D Yao (Jul 12)
    - Re: Extreme Hacking Craig H. Rowland (Jul 12)
  - Re: Extreme Hacking Stephen P. Berry (Jul 08)
  - Message not available
    - Re: Extreme Hacking Vanja Hrustic (Jul 09)
  - Re: Extreme Hacking Bennett Todd (Jul 12)

(Thread continues...)