Re: Extreme Hacking

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from sean.kelly () lanston com, sie wrote:
> > From: Marcus J. Ranum [mailto:mjr () nfr net]
> > Subject: Re: Extreme Hacking
> >
> > A number of "reputable" security companies develop their
> > own hacking techniques. I'm not sure what the justification
> > is -- other than that it just comes naturally, since they
> > tend to hire "ex-"hackers. It'd be unrealistic to expect
> > those guys to stop thinking in terms of how systems are
> > broken into, and to shift their thought-patterns into thinking
> > about how to keep systems secure.
>
> Knowing the potential vulnerabilities of a system is the first step towards
> making it secure.  It's even better if you can get ahead of the curve and
> discover new methods of breaking into a system that aren't yet public
> knowledge -- your systems will be that much more secure.  Who better to
> secure a system against crackers than a cracker, provided you trust them?

Knowing how to break into a system does not provide knowledge in making it
secure.  Whilst there is definately some feedback between the two, one does
not imply the other.  For example, how does knowing to run program B with
host X as the target, resulting in shell access help me in securing it ?
Disabling and removing what ever is responsible for allowing program B to
work is not an acceptable answer.

> > Am I the only person who has a problem with the idea of someone
> > teaching hacking techniques? Sometimes I think I am.
>
> See above.  It's one thing to teach someone how to secure a system, but if
> they don't know *why* what they're doing will secure it or further be able
> to notice other vulnerabilities in the system that weren't pointed out to
> them then at best they will be a second-rate security expert.

But E&Y aren't teaching you how to secure a system, they're teaching you
how to commit a crime, unless breaking into systems isn't a crime where
they're taking those classes.

[...]
> I also don't mean to glamorize crackers (hackers are people that write code,
> why is the terminology so often messed-up?) but in all honesty the vast
> majority of them aren't motivated by maliciousness so much as a desire to
> see if it can be done.

You mean the same sort of deliquent attitude that leads them to `tagging'
public transport and `decorating' otherwise flat, empty croncrete walls ?
What about shop lifting ?  Maybe I should get curious about murdering
someone, try it out, just to see if I can get away with it.  A crime is
a crime, no matter which way you try to look at it and teaching people
the skills should also be frowned upon.  In something that recent legislation
here in Australia brought up, it's against the law to publish a book which
is instructional on committing a crime.  The Internet has changed all that
with instructional pages on just about everything under the sun available.
I don't know if it's the same elsewhere with books, but condoning the
disemination of knowledge about how to break the law seems somehow flawed.

Darren