Re: Don't hire DefCon hackers

[InfoSec News <isn () C4I ORG>]

Forwarded By: /dev/null <null () attrition org>

> ---------- Forwarded message ----------
> From: InfoSec News <isn () C4I ORG>
> X-Sender: isn () idle curiosity org
> To: ISN () SECURITYFOCUS COM
> Date: Tue, 8 Aug 2000 03:06:10 -0500
> Subject: [ISN] Don't hire DefCon hackers
>
> http://www.globetechnology.com/archive/gam/News/20000808/ROUTS.html
>
> VICTOR KEONG
>
> Tuesday, August 8, 2000
>
> From all over the world, they make the annual pilgrimage to Las
> Vegas. They have names such as Mudge, Null and Dark Tangent.
> Tattooed, pierced, tie-dyed and ready to brag, they wear
> motorcycle boots, leather and even kilts in the hot July desert
> sun.

Of the three names above -- and I think I can speak with some
authority on the second -- none are really famous for bragging.  And
from what I saw, the vast majority of Defcon's attendees were wearing
shorts, jeans, and t-shirts in the hot July desert sun; the leather
and kilts came out Saturday night, at the annual Black and White Ball.

> They are, by far, the smartest group of misfits you will ever
> encounter. Some of them have IQs that can boil water, others have

The last time I checked, water boiled at 100 degrees C.  According to
Lewis Madison Terman, who coined the term 'Intelligence quotient' in
1916 and wrote the first book on the subject, the average IQ of a
child is 100.  I should hope that everyone there had an IQ at least
that high.  I do hope you don't imply IQs high enough to boil water
going by the Fahrenheit scale -- that'd be 212, and while the record
IQ on the Stanford-Binet scale -is- 230, I'm somehow doubting there
were people at Defcon who measured quite that high.

> technical and programming skills that can put almost any system
> administrator to shame, and if you run a computer network, they
> can be your worst nightmare. Welcome to DefCon 8.0.
>
> For all their ability, though, businesses should be wary of
> succumbing to the temptation of hiring the enemy to guard their
> systems, as there are better options available.

The enemy?

Excuse me?

Quite a lot of the people who attended this year's Defcon (and the
more technical BlackHat Briefings the week before) are security
professionals. They are security engineers, consultants, application
developers, system administrators, network architects.  They were the
people who write operating systems and intrusion detection software.
They were the people who configure the core routers that make the
internet work.  They were journalists and CEOs.

And apparently they included you, too.

> The most unconventional of conventions, DefCon 8.0 was the annual
> meeting ground for dozens of the computer underground's most elite
> and notorious hackers. Driven by a belief that information should
> be freely available to all, they spend their time creating devious
> and elegant methods of cracking computer security. Any barrier to
> the free access of information is a challenge. And they take the
> challenge seriously. As in previous DefCon gatherings, the hacking
> community flushed out significant system vulnerabilities and
> exploit methods.

That's a hell of a generalization.

I think if you asked around at Defcon and inquired of these 'notorious
hackers' as to whether or not they thought that it was reasonable to
allow anyone and everyone free access to someone's credit card
numbers, banking information, or medical records, they'd laugh in your
face.  It's true that there is a small handful of malicious people who
want such information, but it's definitely not representative of
hackers as a whole, and it's no basis for you to spread fear by
insinuating that because most of us feel that companies shouldn't
sweep software flaws under the carpet we're somehow evil.  We are no
more The Enemy to computer users than Ralph Nader was The Enemy to
Corvair drivers.

> Some say hackers believe that as much system vulnerability
> information as possible should be disclosed in hopes that
> responsible users will employ it to protect their companies from
> being attacked. But are their technological feats more
> self-serving? The counterargument is that many disclosures of
> security holes are "rock-throwing" incidents done by companies or
> individuals to attack dominant vendors such as Microsoft Corp., or
> for the purposes of self-promotion, financial gain or ego
> gratification.

It wasn't too long ago that Microsoft Corporation issued a public
thank you to Dildog (of the l0pht) for the work he has done in finding
vulnerabilities in their software, which has led to them being able to
issue patches quickly.  So it would seem that -they- don't agree with
your incisive analysis...

> Often, such disclosures give not-so-skilled malicious attackers
> (dubbed "script kiddies") point-and-click tools that they can use
> to easily take down Web sites.

This is true.  Have you ever given any thought as to why this is done?
Over and over, security contractors will notify a company that one of
their systems has a vulnerability.  The response from the company is
so often 'Well, is there an exploit for this vulnerability in the
wild?' If the answer is no, then the company won't fix it...they'll
take the risk as acceptable, endangering their customers' privacy and
data integrity in the process.  Due to this apathy on the part of
companies, it has become pretty much necessary to put out an exploit
when a vulnerability is found just so the people with the purse
strings pay attention.

I am by no means saying it's right and proper to actually exploit
holes or use these tools for destructive purposes.  I'm simply saying
that the creation of the tools is not the problem on which you should
be focusing.

> Keeping up with the latest hacking exploits and system
> vulnerabilities can be a daunting task for a business's already
> overworked system administrators. Most information technology
> departments are currently faced with the challenge of managing the
> staffing and processes required for establishing and maintaining
> the security posture for large enterprise networks.

Again, you are correct...and this is the fault of the hackers?  Let me
scroll down a moment -- "Victor Keong is a senior manager in the
secure e-business group at Deloitte & Touche, and is the firm's global
leader for network attack and penetration services."  So your
implication here, if I understand correctly, is that those naughty
hackers shouldn't uncover vulnerabilities in operating systems and
server softwares because it might give system administrators more work
to do?  You, as a senior manager in a secure e-business group, would
advocate that operating systems' vulnerabilities remain hush-hush,
unknown by system administrators who might want to fix them, unknown
by most security engineers, and in fact unknown by most security
consultants -- i.e., known only by those elite few who are able to
figure them out on their own?  Tell me something, Mr Keong: how many
new vulnerabilities have you personally uncovered?  How skilled would
you be as a "global leader for network attack and penetration
services" if you didn't have tools written by someone else to find
vulnerabilities found by someone else that you only know about because
someone else made the information public?

> A very important aspect of this activity is the overall security
> monitoring and advisory management function. This requires
> technically skilled staff who need to be focused on the technical
> details of implementing and managing network security.

Uh-oh...here's the wind-up, where's the sales pitch?

> Fortunately, testing for security vulnerabilities isn't limited to
> the black leather-wearing crowd with The Matrix-inspired
> nicknames. There

The Matrix came out in 1999.  Most of us who are actually skilled have
been around far longer than that.  In fact, you might notice that the
nicknames in The Matrix were inspired by actual hackers, considering
that's what the characters were.  You've got your cause and effect
backwards here.

> are safer, mainstream alternatives. A continuing, qualified
> security advisory service is what corporations should look for
> from consulting firms. Dedicated technical resources will focus on
> identifying and qualifying serious, relevant network
> vulnerabilities as opposed to hacker-driven noise.

Aha!  -There's- the sales pitch!  And I'll bet Deloitte & Touche is
just the source for "a continuing, qualified security advisory
service" and "dedicated technical resources"!  In fact, I bet all of
us so scared by those evil Defcon hackers could call up one Mr. Victor
Keong at Deloitte & Touche, and he can solve all our woes with his
skill at "identifying and qualifying serious, relevant network
vulnerabilities"!

Sheesh.

> Keeping up with the best of the computer underground may not
> require a visit to the tattoo artist just yet.

Um.  What exactly does this sentence have to do with any of the rest
of the article?  Is it the case that in order to be the best of the
computer underground, you have to have a tattoo?  Does Deloitte &
Touche have a policy against hiring people with tattoos, lest they be
secretly The Enemy?  What happens if a Deloitte & Touche employee gets
a tattoo?  Are they fired or do they suddenly become the -best- of the
best of the computer underground?  I'm confused.

> Victor Keong is a senior manager in the secure e-business group at
> Deloitte & Touche, and is the firm's global leader for network
> attack and penetration services.

/dev/null has an IQ high enough to boil water.  Sometimes.

/dev/null

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".