Re: USDOJ BRAINWASHING TECHNIQUES

[Darren Reed <avalon () caligula anu edu au>]

In some mail from KF, sie said:
> > The fact is it we need to take measures that help children
> > understand hacking. This is hardly an issue of brain-
> > washing. It is an issue of survival as a society. The more
> > we help children understand about malicious hacking, the
> > less likely they will perform these acts later in life.
> > That only benefits society on a universal scale.
>
> Imagine if they would have done something like that with future <insert 
> company name here> coders... Impress into their brains to not code 
> security holes in to <web server xyz> in the first place.
>
>  > Imagine if someone could have swayed the group of "hackers"
>  > that destroyed a laboratory's long-term cancer research by
>  > teaching them the necessity of universal survival as children.
>
> How about if they swayed the admin (as a child) to just patch his box up...
>
> Don't get me wrong...I will agree that educating children to not hack 
> *could* cut down on attacks however it does nothing to stop the 
> vulnerabilities that exist in soooooo many products. Time would be 
> better spent educating the kids about how vulnerabilities are caused and 
> what they could do to help prevent the issues to begin with. Teach these 
> kids to not use strcpy into a fixed buffer or something.

The nature of this discussion is disturbing and you've mixed up a
number of completely different problems into the one paragraph, as
if they were somehow an excuse to not promote hacking as bad.
Furthermore you have trivialised a number of points that are serious
issues for the IT industry, as a whole.

1.
Hacking *IS* bad and if children for some reason think it is cool
then they need to be educated so that they understand it is NOT.
There is no two ways about it.  At the small end of the scale, I
don't even view unauthorised port scanning as morally acceptable
(even if the courts don't find it illegal), never mind actually
breaking into one.  It is an invasion of privacy, no two ways about
it.  The presence of software bugs is not an excuse to exploit them.

2.
Secure progamming is something that needs to be taught at a level
that is appropriate and that is definately not primary school or
maybe even grade school.  The problem is children who think they
can program teach themselves bad habits and these bad habits do
not get corrected later as they go on to become professional
programmers.  Regardless of talent, you should not be allowed to
develop commercial applications as a programmer unless you have
been properly schooled and thereafter stay current.  That aside,
security bugs can be much more than just a buffer overflow.  What
is really being said here is that software is not tested/evaluated
to a high enough standard before being sold/shipped - this includes
open source products.

3.
In my eye, it is glaringly obvious that we (the royal we) do
not yet have a sound foundation for what makes up good system
administration practice.  In part the problem here is that
people are encouraged to believe just anyone can do it or,
rather, that just anyone is expected to do it (e.g Microsoft
Windows 2000 and later for "home".)

Just to leave you with an end teaser, consider what it would
mean if software sold could not disclaim fitness for purpose.

Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html