Re: Extreme Hacking

[Paul Woodie <paul_woodie () wcatrain com>]

I could not agree more with Marcus on this point.  Hacking (or any other
trespassing behaviour, for that matter) is primarily a social problem.  And
technological remedies are not the primary remedy to this situation.  It is true
that a good technological defense is needed (e.g., firewalls, host-based
security, etc), but that is only a defense, not a remedy to the real problem.

An understanding of the technology (of attacks -- hacking??) is helpful for
those that are trying to defend, but they are probably always behind in their
defenses compared to attacks.  But the point remains, if I use a tool for a
malicious/non-lawful purpose, I had better be prepared to bear the consequences
of my actions (which should be quite severe).

Paul Woodie


"Marcus J. Ranum" wrote:

> > Ernst & young made headlines in TIME when they offered the first run fo
> > their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to
> > take home. The participants are somewhat screend by having to be referenced
> > by local the local EY office. Recently, I was told attendees learn new
> > exploits and hacks that we will probably only see out in the open in 1-2
> > years.
>
> I have to remain a little sceptical on this point. What I think
> they mean is that they invented a few tricks of their own, which
> they aren't planning on publishing -- they'll leak out pretty
> quickly, once the class has run a couple times. I find it hard
> to imagine that teaching something in a class is a good way
> to keep it a secret.
>
> > So, the question arises: what other companies have such
> > DBs?
>
> A number of "reputable" security companies develop their
> own hacking techniques. I'm not sure what the justification
> is -- other than that it just comes naturally, since they
> tend to hire "ex-"hackers. It'd be unrealistic to expect
> those guys to stop thinking in terms of how systems are
> broken into, and to shift their thought-patterns into thinking
> about how to keep systems secure.
>
> > What are they worth? And the real issue: is there anything in there you
> > won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.
>
> Am I the only person who has a problem with the idea of someone
> teaching hacking techniques? Sometimes I think I am.
>
> Hacking isn't a technological problem, it's a social problem.
> As such, it's not going to be "solved" by technological means,
> but rather by social means. I'm pretty sure that the best way
> to reduce the amount of hacking is _not_ to glorify it, charge
> people money to learn it, and hire people as consultants for
> lots of money because they have hacking backgrounds. The only
> way I can think of to make hacking unattractive is to make it
> really really expensive when you get caught.
>
> Here's a thought: when one of us gets broken into using one
> of the secret new techniques that E&Y is teaching, let's
> sue E&Y for developing it and disclosing it irresponsibly.
> They've got deep pockets. We're working in a legal environment
> where gun manufacturers are sometimes held accountable for
> the actions of their guns - it should be a dead simple argument
> that E&Y should be held accountable for the actions of
> their hacking techniques, and/or anyone and everyone who
> has been through their training. Thought provoking, huh?
> I know a good ambulance chaser lawyer, who'll work for %33
> of the take...
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

Attachment: paul_woodie.vcf
Description: Card for Paul Woodie