Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"

["Marcus J. Ranum" <mjr () ranum com>]

Barrie Dempster wrote:
> Freedom-loving people understand that, to resist the inevitable
> > trend toward tyranny, it is important that "the tree of liberty be
> > refreshed from time to time with the blood of patriots and tyrants."
> > But Jefferson probably would have drawn the line at watering the tree
> > of liberty with innocent victims chosen at random based on their
> > IP address.
>
> He would draw the line at targeting innocents but he didn't draw the
> line at researching and understanding the weapons that could be used for
> this because he knew the benefits that could come from this.

I completely agree. Knowledge and weapons are sources of power,
and should be developed and maintained for the good of the people
and the defense of the state.

> They're not interested in
> > protecting the world against tyranny; they just want to hype
> > themselves so they can get better consulting contracts or promote
> > the products they want to sell.
>
> So because of the opportunists the whole security industry is bad?

Of course not! There are opportunists everywhere. What happens is
that, over time, they poison the well until a field matures. That's why
established fields like law, accounting, engineering, and medicine
have codes of ethics, etc. These can be seen as marketing reactions
to rampant malpractice or charlatanism in a field. One interesting
thing I learned from my accountant is that accounting fraud is almost
always perpetrated by - accountants. That's why accountants try
to look over eachothers' shoulders, ad infinitum.

Is security currently full of malpractice and charlatanism? I don't
think so, actually. BUT I do believe security practitioners have
been doing a lot of sleeping with the enemy. Worse, I think there
has been a small but significant revolving door (or should I say
backdoor?) between security practitioners and the hacker/cracker
community. Outsiders are aware of this, as well, and it manifests
itself whenever some fool from the media smirks and asks me
about my hacker background, "After all, haven't all you security
guys been hackers at some point or another?"

> This is a close mirror of what goes on in Security,
> pointing out and detailing a flaw does not make you a criminal - using
> that flaw can do.

You're absolutely correct.

I'd add the caveat - and it's an important one - that pointing out
and detailing a flaw brings with it some responsibility for the
safety of potential victims, even while you're acting as a
whistle-blower. I'm deeply concerned that many security
practitioners have adopted the view that their responsibility
ends at the point where they discover something dangerous -
that dealing with it is "someone else's problem" and they
forgive themselves of any negative consequences that may
follow from their actions.

> It's the role of a responsible researcher to try to
> prevent this, by coming up with protection mechanisms. You can't protect
> against something if you don't know what it is. This is where coding
> exploits and understanding them openly becomes beneficial.

Where is this great benefit, then?

Since the "disclosure" topic first hit the radar screen in the early
90's, the premise has been that disclosure and open discussion
of exploits and vulnerabilities was going to make computer
systems security better. So, where is this great benefit?

Oh, sure, bugs are getting fixed (because the vendors are faced
with the alternative of knowing their customers will be victimized
immediately if they don't) - but it has created a coercive
environment in which security practitioners are spending more
time fighting thousands of brush-fires (look! another IE bug!)
than doing anything useful. It depresses me because it appears
that vendors are so much time hunting nitpicky bugs and rolling
patch releases that they still don't have time to architect their
products well. The message is getting lost in the noise. So,
where is this great benefit?

Certainly, the amount of vulnerability disclosure and dissemination
of exploits that has been going on since the early 90s has been
a tremendous benefit to all the script kiddies, spammers, and
bot-netters. It's been a tremendous benefit in that it has created
a whole market for rapid application of software patches. It's
turned a whole industry into idiots running around like crazed
weasels slapping band-aids on things because they don't have
time to think. Is this great benefit?

> If it was
> done behind closed doors by the revolutionaries you believe should be
> doing this, then the benefit wouldn't be felt by people outside of these
> groups.

I think the methods of true revolutionaries would be completely
different from what we're seeing going on today in security.
True revolutionaries, as I implied in an earlier posting, would be
infiltrating their targets, forming cells, designing and hoarding
weapons, and preparing for when the time was right to strike.

True revolutionaries would not be hopping up and down screeching
for attention and making chimpanzee noises whenever they
found yet another buffer overrun in some product. True revolutionaries
would not be carefully negotiating the terms of how they release
a vulnerability announcement so as to get maximum press mileage
out of the vendor. And you KNOW that's what's going on.

I do not, by the way, believe that revolutionaries would be wasting
their time with Internet security at all. I'm not a revolutionary, myself,
I'm actually a patriot - and yes, I can envision situations wherein
I would cheerfully fight, kill, or die for the ideals of The United States.

But the revolutionary rhetoric is interesting. Especially since I grew
up with a father who's a historian who's spenta a lot of his life
studying the history of the French revolutions and it was a frequent
dinner-table topic. And you wonder why I'm weird? (By the way,
dad's book on The Fronde is pretty cool)
http://www.amazon.com/exec/obidos/tg/detail/-/0393035506

> You seem to miss the most important point that many security
> researchers have a belief in. The information should be available to
> anyone that can make use of it. The attackers will always have it
> because they are determined enough, they will always be hidden away in
> corners coding up shellcode and exploits. Unless this is openly studied
> then the defenders lose out not the attackers.

I'm very aware of that ideology but I don't completely agree with it.

Why not? Because it ignores the reality that information is not
value-neutral. Information IS a weapon. Even casual reflection on
the history of warfare should make this abundantly evident.

Thus the idea that: "information should be available to
anyone that can make use of it" is ridiculous, unless you assume
that everyone is marching toward a common purpose. They are
not, in warfare or in internet security.

Lastly, "The attackers will always have it because they are determined
enough" is basically one of the oldest tenets of military intelligence:
namely that information's military value has a limited life-span. Indeed,
the entire art of military intelligence revolves around lengthening the
lifespan of your valuable information while shortening the enemy's. So,
yes, you assume the enemy is diligent in trying to gain information
and will eventually gain it. But that doesn't make you any less of a fool
if you publish it early, unless you do so for a reason and in a manner
of your own choosing.

I am not advocating ignorance and I am not saying that information
should not be shared. I am, however, advocating that information
be treated as potentially harmful and that the impact of sharing it
should always be carefully assessed. An ideology of "publish everything"
is ridiculous - by that logic the US Government should post
plans for hydrogen bombs, delivery systems, and gyroscopic
controls along with the exact GPS coordinates of the containment
vessels for civilian nuclear reactors.

So, yes, I am aware of the "information sharing" ideology and
I think it's utterly foolish.

> You seem to believe that if security consultancies didn't release
> exploits you wouldn't have to "hunker down behind your firewall".That
> seems to be a very naive position.

No.. It's an idealistic position. :) Which, I admit, makes it border
on naive!

There are many things in the world that we need to accept as part
of the natural landscape: hurricanes, tornadoes, the common cold,
influenza, AIDS, etc. If I stood up and spoke out against hurricanes,
"they're a BAD IDEA!" I think we could all agree that I was a nut.
But attacks against computers are not something we should
accept as part of the natural order!! This is self-inflicted!! It's people
doing this to other people - malcode doesn't JUST HAPPEN, it
happens as a consequence of someone making a decision to
harm other people. There is a moral dimension to hacking that
does not exist with hurricanes or the AIDS virus.

In a perfect world I wouldn't need a firewall. In a perfect world
I wouldn't need to lock my car because my possessions would
be respected. In a perfect world I wouldn't have to defend my
land against trespassers because they would respect my
"NO TRESPASSING" signs. Indeed, in a perfect world I would
not even need "NO TRESPASSING" signs because people
would know they should ask permission before they go onto
someone else's property.

I don't expect a perfect world to happen.

But virtual every moral philosophy around which societies are
built carries the assumption within them that the person who
trespasses is WRONG. The person who steals is WRONG.
The person who hacks my machine is WRONG. The person
who rapes or kills is WRONG. It is never the victim's fault.

So, yes, I shouldn't have to have a firewall. But I do. I shouldn't
have to have locks on my doors (which I never use) but I do.
Thus crime hurts us all twice. We are forced to first pay the
cost to defend ourselves, and again we pay a cost if our
defenses fail and we are victimized.

> Even now WITH this openness we have
> underground 0day trading going on, that will not go away if we make
> exploits forbidden - more researchers will be underground and there will
> be no one above ground keeping the IT industry in the loop. 

This is a military intelligence problem that is historically
addressed through counter-intelligence.

Now, let's talk idealism and naivete. The ideology is that by
sharing this stuff openly, the bad guys will be discouraged from
going underground, right?  Pure game theory, applied to information
sharing says that sharing is good: if you're the recipient. So if
you're a bad guy you develop your best techniques and keep
them secret. When you get tired of them or they are blown you
publish them (thereby "burning" them and reducing their value
to the enemy) - meanwhile you use the fact that you are
publishing techniques as a trade coin to try to get your
enemy to publish their secrets in return. Of course they're
not stupid enough to do that, either, and give you their old
secrets.

This is "military intelligence 101" -- so tell me what makes you
so sure that the "researchers" are publishing their really good
stuff? Naive hope?

> You are discussing crimes and using that to argue against research. Not
> many here would agree with harming innocents. Researching attack and
> defence, patterns and mechanisms give obvious tactical advantage to
> people defending their systems. Using these for illegality is a
> different matter.

What about giving information to those who DO harm innocents?
What about aiding and abetting those who harm innocents?
What about teaching those who harm innocents? What about
        showing them how to write better malware, or how to
        do shellcoding better?
At a certain point, you CANNOT claim your hands are clean
anymore, can you?

> If Dave didn't send us a link to creating
> shellcode on Windows earlier this week, then  the guys committing these
> sort of crimes would cease to do so?

Of COURSE they wouldn't. But they would be doing so without
the advantage of assistance from an expert. They would be doing
so without a so-called "security expert" aiding and abetting them.

> Like I said, without hacking more people would completely trust these
> systems 

Fool. Without hacking THERE WOULD BE NO PROBLEM
WITH THE SYSTEMS AT ALL.

mjr.