Firewall Wizards mailing list archives
RE: Extreme Hacking
From: sean.kelly () lanston com
Date: Tue, 6 Jul 1999 10:23:03 -0400
From: Marcus J. Ranum [mailto:mjr () nfr net] Subject: Re: Extreme Hacking A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they tend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.
Knowing the potential vulnerabilities of a system is the first step towards making it secure. It's even better if you can get ahead of the curve and discover new methods of breaking into a system that aren't yet public knowledge -- your systems will be that much more secure. Who better to secure a system against crackers than a cracker, provided you trust them?
Am I the only person who has a problem with the idea of someone teaching hacking techniques? Sometimes I think I am.
See above. It's one thing to teach someone how to secure a system, but if they don't know *why* what they're doing will secure it or further be able to notice other vulnerabilities in the system that weren't pointed out to them then at best they will be a second-rate security expert.
Hacking isn't a technological problem, it's a social problem. As such, it's not going to be "solved" by technological means, but rather by social means. I'm pretty sure that the best way to reduce the amount of hacking is _not_ to glorify it, charge people money to learn it, and hire people as consultants for lots of money because they have hacking backgrounds. The only way I can think of to make hacking unattractive is to make it really really expensive when you get caught.
I also don't mean to glamorize crackers (hackers are people that write code, why is the terminology so often messed-up?) but in all honesty the vast majority of them aren't motivated by maliciousness so much as a desire to see if it can be done. You can't charge people money to learn it. All anyone has to do is spend a lot of time in a library or online reading technical docs, or follow any of the handy "how-to's" available all over the place. The only social solution would be to keep teenagers so busy doing other things that they wouldn't have the time to sit in front of a computer wondering how it works. Also, until recently (and even still) most crackers aren't motivated by any maliciousness so much as a desire to surmount a challenge. Some go as far as to notify the security teams in charge of securing whatever-it-is that there are vulnerabilities in their system, though they are often also brushed-off.
Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly.
Try proving that the knowledge actually came from E&Y as opposed to have been developed independently. I'd really be surprised if E&Y was teaching anything in those classes that wasn't already known by some constituient of the cracking community. And by keeping the knowledge secret as opposed to teaching it to the security community they are making it that much more likely that a system somewhere will be successfully compromised.
They've got deep pockets. We're working in a legal environment where gun manufacturers are sometimes held accountable for the actions of their guns - it should be a dead simple argument that E&Y should be held accountable for the actions of their hacking techniques, and/or anyone and everyone who has been through their training. Thought provoking, huh?
So you're saying that we should be able to prosecute someone for the distribution of knowledge? Oh wait, I forgot, the US also has crypto export laws and rules governing the dissemination of physics info related to nuke-building, even though it's all available in the library anyway. Oh yeah, and we still occasionally have book-burnings in the south. It seems to me that the problem here is ignorance, not the opposite. Just because you could pull something off in a US courtroom doesn't mean that it's right or that you're right. This goes double for computer-law as most people still don't know jack about them and hence the chance of an informed ruling is that much less likely.
I know a good ambulance chaser lawyer, who'll work for %33 of the take...
Interesting note: 60% of the world's lawyers practice in the US and there are as many people in law-school in the US as there are lawyers currently practicing in the US. That amounts to a whole LOT of lawyers. The US is the MacDonald's of litigation. Sean
Current thread:
- Re: Extreme Hacking, (continued)
- Message not available
- Re: Extreme Hacking Vanja Hrustic (Jul 09)
- Re: Extreme Hacking Bennett Todd (Jul 12)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Vanja Hrustic (Jul 06)
- Re: Extreme Hacking Dick Brooks (Jul 06)
- Re: Extreme Hacking Jody C. Patilla (Jul 07)
- Re: Extreme Hacking ark (Jul 06)
- Re: Extreme Hacking Ryan Russell (Jul 06)
- Re: Extreme Hacking Rafi Sadowsky (Jul 09)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Rafi Sadowsky (Jul 09)
- RE: Extreme Hacking sean . kelly (Jul 06)
- Re: Extreme Hacking Darren Reed (Jul 08)
- Re: Extreme Hacking Brad J Passwaters (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Brad J Passwaters (Jul 12)
- Re: Extreme Hacking Bennett Todd (Jul 13)
- Re: Extreme Hacking Darren Reed (Jul 08)
- Re: Extreme Hacking Tommy Ward (Jul 12)
- Re: Extreme Hacking dreamwvr (Jul 12)
- RE: Extreme Hacking Jody C. Patilla (Jul 12)