RE: Extreme Hacking

["LeGrow, Matt" <Matt_LeGrow () NAI com>]

> -----Original Message-----
> From: Craig H. Rowland [SMTP:crowland () psionic com]
> Sent: Tuesday, July 06, 1999 1:50 AM
> To:   Marcus J. Ranum
> Cc:   Kunz, Peter; firewall-wizards () nfr net
> Subject:      Re: Extreme Hacking
>
>
> > tend to hire "ex-"hackers. It'd be unrealistic to expect
> > those guys to stop thinking in terms of how systems are
> > broken into, and to shift their thought-patterns into thinking
> > about how to keep systems secure.
>
> I don't think this is totally true. While I routinely tell people it is
> always easier to break something than to create it. I also know that
> knowing how to break software makes it easier to design tools that are
> harder to wreck. The problem is the social reward structure on the
> Internet is established to give more credit to those who discover
> problems, not those trying to fix them. It's easy to see
> what option people tend to choose first when given a choice.
Wait a minute.  What choice do I have if I am a consumer of a security
product?  Unless its "open-source" I can't go in and fix it myself if I find
a problem!  I have to depend on my vendor to do so, and risk vendor apathy,
instituted processes for handling such alarms, and other inordinate delays
in receiving a fix.

The problem isn't some contrived social reward structure as much as it is
simply an illustration of the vast number of consumers opposed to vendors,
and the normal tensions therein.  You don't see Linus Torvalds or Alan Cox
bitching about the fact that five HUNDRED thousand code kiddies are writing
and actively exploiting vulnerabilities in their operating systems or the
services that run on it, despite the fact that their code powers as many if
not more web servers than NT does.    Where is the reward structure for
picking out vulnerabilities that are sitting right in front of your face?
But I digress... :-) 

> > Hacking isn't a technological problem, it's a social problem.
>
> Amen. Additionally, you need to make it so that your chances of getting
> caught are high enough to no longer make it a game. We're approaching that
> era now, the golden days of hacking are dead and have been since the
> Internet went commercial. It isn't a game any more and people are starting
> to wake up to the fact that it isn't a cute prank to hack systems.
>
> I'm sure I'm not the only one who is sick of people hacking
> systems, getting caught, and then complaining that they are being treated
> unfairly. Well tough. You played the game poorly and you lost. Deal with
> it. 
And I am just as sick of vendors rushing crappy products to market and not
taking sufficient means to code them correctly, then turning around and
complaining that because some pimple-faced lad spilled the beans about some
hideous bug in their mission-critical code before they had means to
implement sufficient damage control.  When you supposedly sell me the
world's fastest, most secure web-serving platform for enterprises you had
damn well better live up to your expectations.  You reap what you sew.

I find myself agreeing with what you say here for the most part.  The stakes
are much larger and the sides are definitely much more polarized.  I
definitely think today's hacker much more than yesteryear's is out for the
cheap thrill rather than the purely philosophical or scholarly pursuit.
That having been said - hacking is definitely an illustration of a social
problem - the perceived disparity between the individual and the corporate
entity, the "system" or "the man."  Half of the thrill might be in the
discovery, but the other, greater half of the thrill is knowing that as an
individual you've beaten some much larger entity.  No vendor consortium with
secret handshakes will ever destroy that simple, basic principle.   In fact,
you could make a case that such consortiums only exacerbate the problem, not
destroy it.  Can you imagine what would happen if CERT just started out as
full disclosure, instead of running a parallel, super-secret full disclosure
forum amongst the few security professionals at the time with Zardoz?   

> This gets back to the open disclosure discussion, that is another
> (off topic) subject altogether.
Absolutely!  Save that discussion for another day ;-)


> -- Craig
Matt LeGrow