Re: Expert slams outlandish hacker claims

[InfoSec News <isn () c4i org>]

Forwarded from: Robert G. Ferrell <rgferrell () direcway com>

> Forwarded from: Lance Spitzner <lance () honeynet org>
>
> On Mon, 30 Jun 2003, InfoSec News wrote:
>
> > But Barrett, technical director at Information Risk Management,
> > questioned how any hacker could own 600 computers at any one time.
> >
> >  From his experience working with the police, he said that hackers
> > typically control no more than 12 systems at any time.
> >
> > "The sheer mechanics of 600 computers - no. How can you control 600
> > computers?" he said.

Well, it depends on what you mean by "control." Logistically, it would
be very difficult to dictate every process running on 600 nodes.  
However, simply to compromise and install a backdoor for possible
future use, or run some automated data collection utility that doesn't
require centralized feedback is relatively simple on that scale.

However, I take issue with the bald statement that "the average hacker
'owns' between 600 and 800 systems at any time." That's really
misleading.  How do you define 'average hacker?' The 'average' script
kiddie who defaces Web pages for kicks?  The 'average' IRC packet
monkey who gets off on kicking people he doesn't like from other
people's channels? The 'average' identity thief lying in wait to steal
Privacy Act information from eCommerce sites? The 'average' security
consultant looking to boost his/her media presence?

The 'average hacker' doesn't root anyone's boxes but his own.

RGF

Robert G. Ferrell
rgferrell () direcway com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.