RE: Extreme Hacking

[sean.kelly () lanston com]

> From: Marcus J. Ranum [mailto:mjr () nfr net]
> Subject: Re: Extreme Hacking
>
> A number of "reputable" security companies develop their
> own hacking techniques. I'm not sure what the justification
> is -- other than that it just comes naturally, since they
> tend to hire "ex-"hackers. It'd be unrealistic to expect
> those guys to stop thinking in terms of how systems are
> broken into, and to shift their thought-patterns into thinking
> about how to keep systems secure.

Knowing the potential vulnerabilities of a system is the first step towards
making it secure.  It's even better if you can get ahead of the curve and
discover new methods of breaking into a system that aren't yet public
knowledge -- your systems will be that much more secure.  Who better to
secure a system against crackers than a cracker, provided you trust them?
 
> Am I the only person who has a problem with the idea of someone
> teaching hacking techniques? Sometimes I think I am.

See above.  It's one thing to teach someone how to secure a system, but if
they don't know *why* what they're doing will secure it or further be able
to notice other vulnerabilities in the system that weren't pointed out to
them then at best they will be a second-rate security expert.

> Hacking isn't a technological problem, it's a social problem.
> As such, it's not going to be "solved" by technological means,
> but rather by social means. I'm pretty sure that the best way
> to reduce the amount of hacking is _not_ to glorify it, charge
> people money to learn it, and hire people as consultants for
> lots of money because they have hacking backgrounds. The only
> way I can think of to make hacking unattractive is to make it
> really really expensive when you get caught.

I also don't mean to glamorize crackers (hackers are people that write code,
why is the terminology so often messed-up?) but in all honesty the vast
majority of them aren't motivated by maliciousness so much as a desire to
see if it can be done.  You can't charge people money to learn it.  All
anyone has to do is spend a lot of time in a library or online reading
technical docs, or follow any of the handy "how-to's" available all over the
place.  The only social solution would be to keep teenagers so busy doing
other things that they wouldn't have the time to sit in front of a computer
wondering how it works.  Also, until recently (and even still) most crackers
aren't motivated by any maliciousness so much as a desire to surmount a
challenge.  Some go as far as to notify the security teams in charge of
securing whatever-it-is that there are vulnerabilities in their system,
though they are often also brushed-off.

> Here's a thought: when one of us gets broken into using one
> of the secret new techniques that E&Y is teaching, let's
> sue E&Y for developing it and disclosing it irresponsibly.

Try proving that the knowledge actually came from E&Y as opposed to have
been developed independently.  I'd really be surprised if E&Y was teaching
anything in those classes that wasn't already known by some constituient of
the cracking community.  And by keeping the knowledge secret as opposed to
teaching it to the security community they are making it that much more
likely that a system somewhere will be successfully compromised.

> They've got deep pockets. We're working in a legal environment
> where gun manufacturers are sometimes held accountable for
> the actions of their guns - it should be a dead simple argument
> that E&Y should be held accountable for the actions of
> their hacking techniques, and/or anyone and everyone who
> has been through their training. Thought provoking, huh?

So you're saying that we should be able to prosecute someone for the
distribution of knowledge?  Oh wait, I forgot, the US also has crypto export
laws and rules governing the dissemination of physics info related to
nuke-building, even though it's all available in the library anyway.  Oh
yeah, and we still occasionally have book-burnings in the south.  It seems
to me that the problem here is ignorance, not the opposite.  Just because
you could pull something off in a US courtroom doesn't mean that it's right
or that you're right.  This goes double for computer-law as most people
still don't know jack about them and hence the chance of an informed ruling
is that much less likely.

> I know a good ambulance chaser lawyer, who'll work for %33
> of the take...

Interesting note: 60% of the world's lawyers practice in the US and there
are as many people in law-school in the US as there are lawyers currently
practicing in the US.  That amounts to a whole LOT of lawyers.  The US is
the MacDonald's of litigation.


Sean