Information Security News mailing list archives
Re: Don't hire DefCon hackers
From: InfoSec News <isn () C4I ORG>
Date: Thu, 10 Aug 2000 01:47:51 -0500
Forwarded By: /dev/null <null () attrition org>
---------- Forwarded message ---------- From: InfoSec News <isn () C4I ORG> X-Sender: isn () idle curiosity org To: ISN () SECURITYFOCUS COM Date: Tue, 8 Aug 2000 03:06:10 -0500 Subject: [ISN] Don't hire DefCon hackers http://www.globetechnology.com/archive/gam/News/20000808/ROUTS.html VICTOR KEONG Tuesday, August 8, 2000 From all over the world, they make the annual pilgrimage to Las Vegas. They have names such as Mudge, Null and Dark Tangent. Tattooed, pierced, tie-dyed and ready to brag, they wear motorcycle boots, leather and even kilts in the hot July desert sun.
Of the three names above -- and I think I can speak with some authority on the second -- none are really famous for bragging. And from what I saw, the vast majority of Defcon's attendees were wearing shorts, jeans, and t-shirts in the hot July desert sun; the leather and kilts came out Saturday night, at the annual Black and White Ball.
They are, by far, the smartest group of misfits you will ever encounter. Some of them have IQs that can boil water, others have
The last time I checked, water boiled at 100 degrees C. According to Lewis Madison Terman, who coined the term 'Intelligence quotient' in 1916 and wrote the first book on the subject, the average IQ of a child is 100. I should hope that everyone there had an IQ at least that high. I do hope you don't imply IQs high enough to boil water going by the Fahrenheit scale -- that'd be 212, and while the record IQ on the Stanford-Binet scale -is- 230, I'm somehow doubting there were people at Defcon who measured quite that high.
technical and programming skills that can put almost any system administrator to shame, and if you run a computer network, they can be your worst nightmare. Welcome to DefCon 8.0. For all their ability, though, businesses should be wary of succumbing to the temptation of hiring the enemy to guard their systems, as there are better options available.
The enemy? Excuse me? Quite a lot of the people who attended this year's Defcon (and the more technical BlackHat Briefings the week before) are security professionals. They are security engineers, consultants, application developers, system administrators, network architects. They were the people who write operating systems and intrusion detection software. They were the people who configure the core routers that make the internet work. They were journalists and CEOs. And apparently they included you, too.
The most unconventional of conventions, DefCon 8.0 was the annual meeting ground for dozens of the computer underground's most elite and notorious hackers. Driven by a belief that information should be freely available to all, they spend their time creating devious and elegant methods of cracking computer security. Any barrier to the free access of information is a challenge. And they take the challenge seriously. As in previous DefCon gatherings, the hacking community flushed out significant system vulnerabilities and exploit methods.
That's a hell of a generalization. I think if you asked around at Defcon and inquired of these 'notorious hackers' as to whether or not they thought that it was reasonable to allow anyone and everyone free access to someone's credit card numbers, banking information, or medical records, they'd laugh in your face. It's true that there is a small handful of malicious people who want such information, but it's definitely not representative of hackers as a whole, and it's no basis for you to spread fear by insinuating that because most of us feel that companies shouldn't sweep software flaws under the carpet we're somehow evil. We are no more The Enemy to computer users than Ralph Nader was The Enemy to Corvair drivers.
Some say hackers believe that as much system vulnerability information as possible should be disclosed in hopes that responsible users will employ it to protect their companies from being attacked. But are their technological feats more self-serving? The counterargument is that many disclosures of security holes are "rock-throwing" incidents done by companies or individuals to attack dominant vendors such as Microsoft Corp., or for the purposes of self-promotion, financial gain or ego gratification.
It wasn't too long ago that Microsoft Corporation issued a public thank you to Dildog (of the l0pht) for the work he has done in finding vulnerabilities in their software, which has led to them being able to issue patches quickly. So it would seem that -they- don't agree with your incisive analysis...
Often, such disclosures give not-so-skilled malicious attackers (dubbed "script kiddies") point-and-click tools that they can use to easily take down Web sites.
This is true. Have you ever given any thought as to why this is done? Over and over, security contractors will notify a company that one of their systems has a vulnerability. The response from the company is so often 'Well, is there an exploit for this vulnerability in the wild?' If the answer is no, then the company won't fix it...they'll take the risk as acceptable, endangering their customers' privacy and data integrity in the process. Due to this apathy on the part of companies, it has become pretty much necessary to put out an exploit when a vulnerability is found just so the people with the purse strings pay attention. I am by no means saying it's right and proper to actually exploit holes or use these tools for destructive purposes. I'm simply saying that the creation of the tools is not the problem on which you should be focusing.
Keeping up with the latest hacking exploits and system vulnerabilities can be a daunting task for a business's already overworked system administrators. Most information technology departments are currently faced with the challenge of managing the staffing and processes required for establishing and maintaining the security posture for large enterprise networks.
Again, you are correct...and this is the fault of the hackers? Let me scroll down a moment -- "Victor Keong is a senior manager in the secure e-business group at Deloitte & Touche, and is the firm's global leader for network attack and penetration services." So your implication here, if I understand correctly, is that those naughty hackers shouldn't uncover vulnerabilities in operating systems and server softwares because it might give system administrators more work to do? You, as a senior manager in a secure e-business group, would advocate that operating systems' vulnerabilities remain hush-hush, unknown by system administrators who might want to fix them, unknown by most security engineers, and in fact unknown by most security consultants -- i.e., known only by those elite few who are able to figure them out on their own? Tell me something, Mr Keong: how many new vulnerabilities have you personally uncovered? How skilled would you be as a "global leader for network attack and penetration services" if you didn't have tools written by someone else to find vulnerabilities found by someone else that you only know about because someone else made the information public?
A very important aspect of this activity is the overall security monitoring and advisory management function. This requires technically skilled staff who need to be focused on the technical details of implementing and managing network security.
Uh-oh...here's the wind-up, where's the sales pitch?
Fortunately, testing for security vulnerabilities isn't limited to the black leather-wearing crowd with The Matrix-inspired nicknames. There
The Matrix came out in 1999. Most of us who are actually skilled have been around far longer than that. In fact, you might notice that the nicknames in The Matrix were inspired by actual hackers, considering that's what the characters were. You've got your cause and effect backwards here.
are safer, mainstream alternatives. A continuing, qualified security advisory service is what corporations should look for from consulting firms. Dedicated technical resources will focus on identifying and qualifying serious, relevant network vulnerabilities as opposed to hacker-driven noise.
Aha! -There's- the sales pitch! And I'll bet Deloitte & Touche is just the source for "a continuing, qualified security advisory service" and "dedicated technical resources"! In fact, I bet all of us so scared by those evil Defcon hackers could call up one Mr. Victor Keong at Deloitte & Touche, and he can solve all our woes with his skill at "identifying and qualifying serious, relevant network vulnerabilities"! Sheesh.
Keeping up with the best of the computer underground may not require a visit to the tattoo artist just yet.
Um. What exactly does this sentence have to do with any of the rest of the article? Is it the case that in order to be the best of the computer underground, you have to have a tattoo? Does Deloitte & Touche have a policy against hiring people with tattoos, lest they be secretly The Enemy? What happens if a Deloitte & Touche employee gets a tattoo? Are they fired or do they suddenly become the -best- of the best of the computer underground? I'm confused.
Victor Keong is a senior manager in the secure e-business group at Deloitte & Touche, and is the firm's global leader for network attack and penetration services.
/dev/null has an IQ high enough to boil water. Sometimes. /dev/null ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Don't hire DefCon hackers InfoSec News (Aug 08)
- Re: Don't hire DefCon hackers cult hero (Aug 08)
- <Possible follow-ups>
- Re: Don't hire DefCon hackers InfoSec News (Aug 10)