Information Security News mailing list archives
Random rants on the subject of: ISN Digest - 5 Oct 2000 to 6 Oct 2000 (#2000-185)
From: The Dodger <dodger () 2600 COM>
Date: Sun, 8 Oct 2000 18:00:30 -0400
Lewis Z. Koch theorised that the US Government might decide to build new juvenile detention centres for teenage hackers:
Maybe they could bring in some other networked kiddy criminals for peer counseling - like 15-year-old Jonathan Lebed, of Cedar Grove, N.J. Lebed was the kid who made $273,000 by illegally promoting stocks on the Internet in what the Securities and Exchange Commission called a "pump and dump" scheme. It seems that Lebed would go into a chat room or log on to a bulletin board and announce that a penny stock, about which he had "secret, inside" information, was going to rise to $20. Lebed didn't have to go to jail, but he did have to return all the money plus $12,000 in interest.
Terrific! The next George Soros. Hope the SEC thing doesn't have any detrimental effect on what should be a bright future for this lad with some investment bank like Goldman Sachs or Merrill Lynch (didn't you Yanks invent Capitalism?). Fortunately, he doesn't have a conviction - http://www.zdnet.com/zdnn/stories/news/0,4586,2630621,00.html Carole Fennelly wrote about "Security through Obscurity":
That accusation was leveled at me. I had recommended that a client have internal mail headers stripped out at the firewall before being sent outside the company. I thought this was just good common sense. I even provided the technical solution to do it in the MTA they were running (sendmail). The admins balked and stated that "no one does this". OK. So I asked the sendmail gods at sendmail.org for guidance. To my surprise, they also felt it was unnecessary and even inadvisable. In fact, some said I was "paranoid" and relying on "security by obscurity". [...] I still think that it's foolhardy to advertise internal information so promiscuously because the first step in attacking a site is gathering as much information about the site as possible [...]
I'm in agreement. If there's any way of making it more difficult for someone to break in, then do it. Today's piece of secure software is the subject of tomorrow's Bugtraq posting. Knowing what I know about the modus operandi of many crackers (who often scan thousands of hosts checking for security flaws), I think it's a good idea to avoid allowing your IP address to appear on the list of sites vulnerable to the latest 0-day exploit. Random extracts from Richard Thieme's column on "The Face of Evil":
I interviewed Dan Geer for next month's Information Security Magazine. Dan Geer is incredibly smart. He is currently Chief Technology Officer for @stake and newly elected president of Usenix. He has a doctorate from Harvard and helped develop the Athena Project and Kerberos at MIT. When you're talking to a guy like that about computer security and he tells you that he only hires people who are "sadder but wiser," you pay attention. By that he meant that he wants people who know what's really at stake. The urgency of their work must be energized by an encounter with the face of evil so they understand what they're up against and why their work matters. [...] "You tell me there's no God," said Geer," and I'll ask you to look me in the eye and tell me there's no such thing as evil. If you can't do the one, you lose the right to do the other."
I'm not sure exactly what the point that Thieme is trying to get across here is, but I find it slightly worrying that the CTO of computer security company speaks in these terms, which seem to indicate that he may view hackers as being evil. I had hoped that the demonisation of hackers was a thing of the past. Note that I do not deny the existence of Evil, nor that the CIA and NSA probably protect the United States against many enemies that we never hear about, but I fear that this article makes associations which are, at best, tenuous and, at worse, play into the hands of those who seek to exaggerate the threat from hackers and cyber-terrorists for their own ends. Funding in the post-Cold War era is harder to come by, I hear. I find it slightly ironic, however, that while Thieme seems to accept without question the implied danger of "death and destruction" and that Brian Snow must protect his sources and methods, he later asserts that:
To know the truth, however, there must be disclosure. Without disclosure, there is no truth. Without truth, there is no accountability. Without accountability, there is no justice.
Today's rants were brought to you by the letter C for Carnivore. D. PS: Oh, go on, I admit it - C is for Cynicism too. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Random rants on the subject of: ISN Digest - 5 Oct 2000 to 6 Oct 2000 (#2000-185) The Dodger (Oct 09)
- Re: Random rants Curt Bryson (NTI) (Oct 10)