Dailydave mailing list archives
Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 21 Sep 2005 14:21:00 -0400
Barrie Dempster wrote:
Freedom-loving people understand that, to resist the inevitabletrend toward tyranny, it is important that "the tree of liberty be refreshed from time to time with the blood of patriots and tyrants." But Jefferson probably would have drawn the line at watering the tree of liberty with innocent victims chosen at random based on their IP address.He would draw the line at targeting innocents but he didn't draw the line at researching and understanding the weapons that could be used for this because he knew the benefits that could come from this.
I completely agree. Knowledge and weapons are sources of power, and should be developed and maintained for the good of the people and the defense of the state.
They're not interested inprotecting the world against tyranny; they just want to hype themselves so they can get better consulting contracts or promote the products they want to sell.So because of the opportunists the whole security industry is bad?
Of course not! There are opportunists everywhere. What happens is that, over time, they poison the well until a field matures. That's why established fields like law, accounting, engineering, and medicine have codes of ethics, etc. These can be seen as marketing reactions to rampant malpractice or charlatanism in a field. One interesting thing I learned from my accountant is that accounting fraud is almost always perpetrated by - accountants. That's why accountants try to look over eachothers' shoulders, ad infinitum. Is security currently full of malpractice and charlatanism? I don't think so, actually. BUT I do believe security practitioners have been doing a lot of sleeping with the enemy. Worse, I think there has been a small but significant revolving door (or should I say backdoor?) between security practitioners and the hacker/cracker community. Outsiders are aware of this, as well, and it manifests itself whenever some fool from the media smirks and asks me about my hacker background, "After all, haven't all you security guys been hackers at some point or another?"
This is a close mirror of what goes on in Security, pointing out and detailing a flaw does not make you a criminal - using that flaw can do.
You're absolutely correct. I'd add the caveat - and it's an important one - that pointing out and detailing a flaw brings with it some responsibility for the safety of potential victims, even while you're acting as a whistle-blower. I'm deeply concerned that many security practitioners have adopted the view that their responsibility ends at the point where they discover something dangerous - that dealing with it is "someone else's problem" and they forgive themselves of any negative consequences that may follow from their actions.
It's the role of a responsible researcher to try to prevent this, by coming up with protection mechanisms. You can't protect against something if you don't know what it is. This is where coding exploits and understanding them openly becomes beneficial.
Where is this great benefit, then? Since the "disclosure" topic first hit the radar screen in the early 90's, the premise has been that disclosure and open discussion of exploits and vulnerabilities was going to make computer systems security better. So, where is this great benefit? Oh, sure, bugs are getting fixed (because the vendors are faced with the alternative of knowing their customers will be victimized immediately if they don't) - but it has created a coercive environment in which security practitioners are spending more time fighting thousands of brush-fires (look! another IE bug!) than doing anything useful. It depresses me because it appears that vendors are so much time hunting nitpicky bugs and rolling patch releases that they still don't have time to architect their products well. The message is getting lost in the noise. So, where is this great benefit? Certainly, the amount of vulnerability disclosure and dissemination of exploits that has been going on since the early 90s has been a tremendous benefit to all the script kiddies, spammers, and bot-netters. It's been a tremendous benefit in that it has created a whole market for rapid application of software patches. It's turned a whole industry into idiots running around like crazed weasels slapping band-aids on things because they don't have time to think. Is this great benefit?
If it was done behind closed doors by the revolutionaries you believe should be doing this, then the benefit wouldn't be felt by people outside of these groups.
I think the methods of true revolutionaries would be completely different from what we're seeing going on today in security. True revolutionaries, as I implied in an earlier posting, would be infiltrating their targets, forming cells, designing and hoarding weapons, and preparing for when the time was right to strike. True revolutionaries would not be hopping up and down screeching for attention and making chimpanzee noises whenever they found yet another buffer overrun in some product. True revolutionaries would not be carefully negotiating the terms of how they release a vulnerability announcement so as to get maximum press mileage out of the vendor. And you KNOW that's what's going on. I do not, by the way, believe that revolutionaries would be wasting their time with Internet security at all. I'm not a revolutionary, myself, I'm actually a patriot - and yes, I can envision situations wherein I would cheerfully fight, kill, or die for the ideals of The United States. But the revolutionary rhetoric is interesting. Especially since I grew up with a father who's a historian who's spenta a lot of his life studying the history of the French revolutions and it was a frequent dinner-table topic. And you wonder why I'm weird? (By the way, dad's book on The Fronde is pretty cool) http://www.amazon.com/exec/obidos/tg/detail/-/0393035506
You seem to miss the most important point that many security researchers have a belief in. The information should be available to anyone that can make use of it. The attackers will always have it because they are determined enough, they will always be hidden away in corners coding up shellcode and exploits. Unless this is openly studied then the defenders lose out not the attackers.
I'm very aware of that ideology but I don't completely agree with it. Why not? Because it ignores the reality that information is not value-neutral. Information IS a weapon. Even casual reflection on the history of warfare should make this abundantly evident. Thus the idea that: "information should be available to anyone that can make use of it" is ridiculous, unless you assume that everyone is marching toward a common purpose. They are not, in warfare or in internet security. Lastly, "The attackers will always have it because they are determined enough" is basically one of the oldest tenets of military intelligence: namely that information's military value has a limited life-span. Indeed, the entire art of military intelligence revolves around lengthening the lifespan of your valuable information while shortening the enemy's. So, yes, you assume the enemy is diligent in trying to gain information and will eventually gain it. But that doesn't make you any less of a fool if you publish it early, unless you do so for a reason and in a manner of your own choosing. I am not advocating ignorance and I am not saying that information should not be shared. I am, however, advocating that information be treated as potentially harmful and that the impact of sharing it should always be carefully assessed. An ideology of "publish everything" is ridiculous - by that logic the US Government should post plans for hydrogen bombs, delivery systems, and gyroscopic controls along with the exact GPS coordinates of the containment vessels for civilian nuclear reactors. So, yes, I am aware of the "information sharing" ideology and I think it's utterly foolish.
You seem to believe that if security consultancies didn't release exploits you wouldn't have to "hunker down behind your firewall".That seems to be a very naive position.
No.. It's an idealistic position. :) Which, I admit, makes it border on naive! There are many things in the world that we need to accept as part of the natural landscape: hurricanes, tornadoes, the common cold, influenza, AIDS, etc. If I stood up and spoke out against hurricanes, "they're a BAD IDEA!" I think we could all agree that I was a nut. But attacks against computers are not something we should accept as part of the natural order!! This is self-inflicted!! It's people doing this to other people - malcode doesn't JUST HAPPEN, it happens as a consequence of someone making a decision to harm other people. There is a moral dimension to hacking that does not exist with hurricanes or the AIDS virus. In a perfect world I wouldn't need a firewall. In a perfect world I wouldn't need to lock my car because my possessions would be respected. In a perfect world I wouldn't have to defend my land against trespassers because they would respect my "NO TRESPASSING" signs. Indeed, in a perfect world I would not even need "NO TRESPASSING" signs because people would know they should ask permission before they go onto someone else's property. I don't expect a perfect world to happen. But virtual every moral philosophy around which societies are built carries the assumption within them that the person who trespasses is WRONG. The person who steals is WRONG. The person who hacks my machine is WRONG. The person who rapes or kills is WRONG. It is never the victim's fault. So, yes, I shouldn't have to have a firewall. But I do. I shouldn't have to have locks on my doors (which I never use) but I do. Thus crime hurts us all twice. We are forced to first pay the cost to defend ourselves, and again we pay a cost if our defenses fail and we are victimized.
Even now WITH this openness we have underground 0day trading going on, that will not go away if we make exploits forbidden - more researchers will be underground and there will be no one above ground keeping the IT industry in the loop.
This is a military intelligence problem that is historically addressed through counter-intelligence. Now, let's talk idealism and naivete. The ideology is that by sharing this stuff openly, the bad guys will be discouraged from going underground, right? Pure game theory, applied to information sharing says that sharing is good: if you're the recipient. So if you're a bad guy you develop your best techniques and keep them secret. When you get tired of them or they are blown you publish them (thereby "burning" them and reducing their value to the enemy) - meanwhile you use the fact that you are publishing techniques as a trade coin to try to get your enemy to publish their secrets in return. Of course they're not stupid enough to do that, either, and give you their old secrets. This is "military intelligence 101" -- so tell me what makes you so sure that the "researchers" are publishing their really good stuff? Naive hope?
You are discussing crimes and using that to argue against research. Not many here would agree with harming innocents. Researching attack and defence, patterns and mechanisms give obvious tactical advantage to people defending their systems. Using these for illegality is a different matter.
What about giving information to those who DO harm innocents? What about aiding and abetting those who harm innocents? What about teaching those who harm innocents? What about showing them how to write better malware, or how to do shellcoding better? At a certain point, you CANNOT claim your hands are clean anymore, can you?
If Dave didn't send us a link to creating shellcode on Windows earlier this week, then the guys committing these sort of crimes would cease to do so?
Of COURSE they wouldn't. But they would be doing so without the advantage of assistance from an expert. They would be doing so without a so-called "security expert" aiding and abetting them.
Like I said, without hacking more people would completely trust these systems
Fool. Without hacking THERE WOULD BE NO PROBLEM WITH THE SYSTEMS AT ALL. mjr.
Current thread:
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site", (continued)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Jonathan Karon (Sep 20)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Drsolly (Sep 21)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" haroon meer (Sep 21)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Jonathan Karon (Sep 20)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Paul Melson (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Drsolly (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- Message not available
- Re: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Message not available
- Re: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Life, the Universe, and Everything (was: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site") I)ruid (Sep 23)
- RE: Life, the Universe, and Everything (was: Exactly 500 word essay on"Why hacking is cool, so that Marcus changes his web site") Jos Pols (Sep 23)
- RE: Life, the Universe, and Everything (was: Exactly 500 word essay on"Why hacking is cool, so that Marcus changes his web site") Bryan McAninch (Sep 24)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Robert Nickel (Sep 26)