RE: Extreme Hacking

[sean.kelly () lanston com]

> From: Darren Reed [mailto:darrenr () reed wattle id au]
>
> > Knowing the potential vulnerabilities of a system is the 
> first step towards
> > making it secure.  It's even better if you can get ahead of 
> the curve and
> > discover new methods of breaking into a system that aren't 
> yet public
> > knowledge -- your systems will be that much more secure.  
> Who better to
> > secure a system against crackers than a cracker, provided 
> you trust them?
>
> Knowing how to break into a system does not provide knowledge 
> in making it
> secure.  Whilst there is definately some feedback between the 
> two, one does
> not imply the other.  For example, how does knowing to run 
> program B with
> host X as the target, resulting in shell access help me in 
> securing it ?
> Disabling and removing what ever is responsible for allowing 
> program B to
> work is not an acceptable answer.

I think our understanding of "how to break into a system" is different.  You
are referring to the script-kiddies: people who have no actrual
understanding of how to break into a system beyond that running X program
will gain them entry.  I am referring to knowledgeable crackers -- people
with a thorough understanding of the inner-workings of the
hardware/software/network/whatever and consciously and methodically
exploting weaknesses in the platforms.  ie. I'm referring to the people
thgat wrote the scripts in the first place.  In my example, knowing how to
break into a system equates to a great degree with knowing how to secure it.
In your example, as you pointed out, it does not.

> > > Am I the only person who has a problem with the idea of someone
> > > teaching hacking techniques? Sometimes I think I am.
> >
> > See above.  It's one thing to teach someone how to secure a 
> system, but if
> > they don't know *why* what they're doing will secure it or 
> further be able
> > to notice other vulnerabilities in the system that weren't 
> pointed out to
> > them then at best they will be a second-rate security expert.
>
> But E&Y aren't teaching you how to secure a system, they're 
> teaching you
> how to commit a crime, unless breaking into systems isn't a 
> crime where
> they're taking those classes.

It is debatable whether a break-in implicitly constitutes a crime, and in
what circumstances.  Computer law is weird like that.  Beyond the purely
philosophical argument, there are a whole lot of ex-crackers out there that
perform security evaluations for companies by attempting to break into them.
This is a valid and valuable service for which there must be some kind of
allowable training if it is to continue.

> > I also don't mean to glamorize crackers (hackers are people 
> that write code,
> > why is the terminology so often messed-up?) but in all 
> honesty the vast
> > majority of them aren't motivated by maliciousness so much 
> as a desire to
> > see if it can be done.
>
> You mean the same sort of deliquent attitude that leads them 
> to `tagging'
> public transport and `decorating' otherwise flat, empty 
> croncrete walls ?
> What about shop lifting ?  Maybe I should get curious about murdering
> someone, try it out, just to see if I can get away with it.

You misunderstand me.  Breaking into a system does not imply any sort of
theft or vandalism, and certainly nothing close to murder.  While it is a
pain in the butt for security people who must then do a lot of work to make
sure it doesn't happen the same way again, a break-in itself is not an
actively malicious act.

> A crime is
> a crime, no matter which way you try to look at it and teaching people
> the skills should also be frowned upon.  In something that 
> recent legislation
> here in Australia brought up, it's against the law to publish 
> a book which
> is instructional on committing a crime.

Again we return to one of the critical questions: internet law.  What
constitues a crime and how can those crimes be prosecuted internationally?
Should a country refuse to sell books about things that aren't a crime in
their country if they might be a crime in another country?  What if someone
orders a copy of the book and has it shipped to them?  What if this country
has a copy of the book on the internet?

> The Internet has changed all that
> with instructional pages on just about everything under the 
> sun available.

This has been the case for a long time.  I ran a BBS back in the early 80's
and all this information was a phonecall away even back then.  The recent
popularization of the internet has just increased the percentage of people
with access to the information -- something that can be neither helped or
prevented.  If the instructions are burned, some smart kids are just going
to figure it all out again.  I'm a programmer by trade, and if I was
interested enough, I could figure much of it out from scratch also -- no
"how-to" books needed.  Kind of like how an engineer has the skills needed
to figure out how to demolish a building and have it fall straight-down
instead of toppling sideways (which is also done regularly).

> I don't know if it's the same elsewhere with books, but condoning the
> disemination of knowledge about how to break the law seems 
> somehow flawed.

It might be, but law is a sticky issue, and the internet is still very new
territory as far as law is concerned.  Further, it's essentially impossible
to control the dissemination of knowledge, especially now that the internet
exists.  It's one thing not to condone the dissemination of knowledge, it's
another to prevent it.

If the issue is E&Y's course -- they're preventing the average kid from
gaining the knowledge just by charging the $5000 pricetag for the course.
Besides, I'd be willing to bet that much of the content from the course has
been gleaned from various sources on the internet anyway.  Most of these
courses are a tad behind-the-curve as far as the cutting-edge of whatever is
concerned.  People pay the obscene amounts of money to have it encapsulated
for them because they can't afford to spend the time to go and find it on
their own.


Sean