Random rants on the subject of: ISN Digest - 5 Oct 2000 to 6 Oct 2000 (#2000-185)

[The Dodger <dodger () 2600 COM>]

Lewis Z. Koch theorised that the US Government might decide to build new
juvenile detention centres for teenage hackers:

> Maybe they could bring in some other networked kiddy criminals for
> peer counseling - like 15-year-old Jonathan Lebed, of Cedar Grove,
> N.J. Lebed was the kid who made $273,000 by illegally promoting stocks
> on the Internet in what the Securities and Exchange Commission called
> a "pump and dump" scheme. It seems that Lebed would go into a chat
> room or log on to a bulletin board and announce that a penny stock,
> about which he had "secret, inside" information, was going to rise to
> $20. Lebed didn't have to go to jail, but he did have to return all
> the money plus $12,000 in interest.

Terrific! The next George Soros. Hope the SEC thing doesn't have any
detrimental effect on what should be a bright future for this lad with
some investment bank like Goldman Sachs or Merrill Lynch (didn't you
Yanks invent Capitalism?). Fortunately, he doesn't have a conviction -
http://www.zdnet.com/zdnn/stories/news/0,4586,2630621,00.html


Carole Fennelly wrote about "Security through Obscurity":

> That accusation was leveled at me.  I had recommended that a client
> have internal mail headers stripped out at the firewall before being
> sent outside the company. I thought this was just good common sense. I
> even provided the technical solution to do it in the MTA they were
> running (sendmail). The admins balked and stated that "no one does
> this". OK. So I asked the sendmail gods at sendmail.org for guidance.
> To my surprise, they also felt it was unnecessary and even
> inadvisable. In fact, some said I was "paranoid" and relying on
> "security by obscurity".
>
> [...]
>
> I still think that it's foolhardy to advertise internal information
> so promiscuously because the first step in attacking a site is
> gathering as much information about the site as possible [...]

I'm in agreement. If there's any way of making it more difficult for
someone to break in, then do it. Today's piece of secure software is the
subject of tomorrow's Bugtraq posting. Knowing what I know about the modus
operandi of many crackers (who often scan thousands of hosts checking for
security flaws), I think it's a good idea to avoid allowing your IP
address to appear on the list of sites vulnerable to the latest 0-day
exploit.


Random extracts from Richard Thieme's column on "The Face of Evil":

> I interviewed Dan Geer for next month's Information Security Magazine.
> Dan Geer is incredibly smart. He is currently Chief Technology Officer
> for @stake and newly elected president of Usenix. He has a doctorate
> from Harvard and helped develop the Athena Project and Kerberos at
> MIT. When you're talking to a guy like that about computer security
> and he tells you that he only hires people who are "sadder but wiser,"
> you pay attention. By that he meant that he wants people who know
> what's really at stake. The urgency of their work must be energized by
> an encounter with the face of evil so they understand what they're up
> against and why their work matters.
>
> [...]
>
> "You tell me there's no God," said Geer," and I'll ask you to look me
> in the eye and tell me there's no such thing as evil. If you can't do
> the one, you lose the right to do the other."

I'm not sure exactly what the point that Thieme is trying to get across
here is, but I find it slightly worrying that the CTO of computer security
company speaks in these terms, which seem to indicate that he may view
hackers as being evil. I had hoped that the demonisation of hackers was a
thing of the past. Note that I do not deny the existence of Evil, nor that
the CIA and NSA probably protect the United States against many enemies
that we never hear about, but I fear that this article makes associations
which are, at best, tenuous and, at worse, play into the hands of those
who seek to exaggerate the threat from hackers and cyber-terrorists for
their own ends. Funding in the post-Cold War era is harder to come by, I
hear.

I find it slightly ironic, however, that while Thieme seems to accept
without question the implied danger of "death and destruction" and that
Brian Snow must protect his sources and methods, he later asserts that:

> To know the truth, however, there must be disclosure. Without
> disclosure, there is no truth. Without truth, there is no
> accountability. Without accountability, there is no justice.

Today's rants were brought to you by the letter C for Carnivore.


D.

PS: Oh, go on, I admit it - C is for Cynicism too.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".