Shades of gray at security conference

[InfoSec News <isn () c4i org>]

Forwarded from: bob <bob () globaldevelopment org>

http://news.com.com/2100-1001-897596.html

Shades of gray at security conference
By Robert Lemos
Staff Writer, CNET News.com
May 2, 2002

VANCOUVER, British Columbia--Near a table laden with coffee, tea and
croissants, David Dittrich, senior security engineer for the
University of Washington, discusses the newest tools of the trade with
a hacker-cum-security-consultant known as "K2."

They're a study in opposites: K2, stocky and jovial, has created,
among other things, a "rootkit"--a tool for locking down unauthorized
control of a server after an initial hack. Dittrich, tall and mainly
serious, found K2's rootkit on several systems at UW, put there by a
hacker who grabbed K2's tool off the Net.

Was he angry? "I mainly thought it was funny," Dittrich said.

In fact, the two--who some might think should be on opposite sides of
the computer-security fight--actually work together. They're both
involved in a project aimed at creating networks that act as an
electronic bell jar, putting network attackers and their techniques
under observation.

The relationship between Dittrich, who is widely considered a "white
hat" security expert--one of the good guys--and K2, who some consider
a "black hat," is typical of many who have met here at the CanSecWest
security conference.

Despite the Sept. 11 terrorist attacks and the renewed suspicion that
many security experts feel is directed at their profession, the
hackers and security gurus that attend CanSecWest haven't quietly gone
away.

While attendees mostly consist of independent security experts--in
other words, hackers gone legit--a large portion of industry experts
and a handful of law enforcement and government agents are also
attending.

Among the topics on the agenda: vulnerabilities in Microsoft's .Net
software-as-a-service plan; university networks as a playground for
online vandals; and the legal ramifications of monitoring hacker
activity.

Though the opposite sides mix, they don't always mingle, said K2. "A
lot of the government people don't talk about what they are doing, so
in some cases, it's one-sided," he said. "It needs to be a two-way
street."

"Simple Nomad," an old-school hacker who works for security company
BindView, had an animated discussion with a small bevy of government
workers and law enforcement officers about government security.

Collegial? Perhaps. Yet, later in the day, Simple Nomad gave a
presentation on the various ways terrorists--and the average
Joe--could secretly communicate information to each other and managed
to jokingly thumb his nose at the government in the process.

But while the new concerns brought on by the World Trade Center attack
haven't driven the crowd here underground, they have changed things.

In the shadow of the attacks, security consultants and tool hackers
have, in many ways, dialed down their activities a notch, said Dragos
Ruiu, an independent security consultant and the organizer for the
CanSecWest conference.

"You might as well be an assassin," Ruiu said. "The penalties are
smaller to kill someone nowadays than hacking into a computer."

The problem, Ruiu says, is that the tools created by hackers have two
uses: They can be used to compromise systems, but they can also be
used to secure them. Most people don't understand that and would
rather clump any who use the tools together in the same "bad guy"
category.

"People distrust things they don't understand," Ruiu said. "The black
magic factor is high."

Ruiu said he expected that most people at the conference would fall
into the white hat--or security-conscious hacker--category, but there
was no way to be sure.

"You never know who the threats are," Ruiu said. "You really can't
tell who the people are that do the bad stuff."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.