Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Industry Under Scrutiny: Part Two

From: "Euan Briggs" <euan_briggs () btinternet com>
Date: Mon, 18 Nov 2002 07:47:49 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
 
 I would just like to remind everyone, before you drag this thread on
any longer, that I did NOT post that message. The message was posted
by someone to try and embarass me etc. and does not represent my
views in any way. FYI, genuine posts from me have my pgp signature,
and always come from euan_briggs () btinternet com. See the attached pgp
key.
 
I really wanted to avoid getting into a discussion over that daft
prank email, but really sockz, you have turned it into a personal
attack. I would just like to say, that I know perfectly well what a
blackhat is, I know perfectly well how blackhats operate, and I know
perfectly well what they are capable of. I have years of experience
that you can't read in a book. So just out of interest, before you
start getting into personal attacks like this, would you mind telling
everyone what your credentials are, that make you think you are in
any position to comment on the blackhat scene? Actually don't bother,
I have better things to do with my time.
 
 Euan aka stripey

- ----- Original Message ----- 
From: "sockz loves you" <sockz () email com>
To: <full-disclosure () lists netsys com>
Cc: <bugtraq () securityfocus com>; <vuln-dev () securityfocus com>;
<vulnwatch () vulnwatch org>
Sent: Monday, November 18, 2002 12:11 AM
Subject: [Full-disclosure] Security Industry Under Scrutiny: Part Two



hi full-disclosure,

I was going to write to you today about one of the projects I've
been working on, but it's not complete yet, so I'll save it for
another day.  It seems that a lot of people are talking about this
"UK hacker" a 36yo guy by the name of so1o. I won't, cuz its boring
already.  The other piece of interesting news that I AM going to
discuss though, is the prospect of new or changed legislation
affecting internet security and cybercrime in general.

A couple days ago wired ran an article 
[ http://wired.com/news/politics/0,1283,56351,00.html ]
about changes to legislation in the US, regarding hacking and
terrorism... the Cyber Security Research and Development Act.  What
does this act do?  Well it  aims to increase funding for the
security industry in the US, as a means of  combating
cyberterrorism and cybercrime.

To quote Michael Grebb in his article:

--------------------------------------------------------------------
------------ "the bill's backers said cybersecurity funding is now
inadequate, especially if terrorists were to time cyberattacks with
physical attacks similar to those  carried out on Sept. 11, 2001.
The result could cripple vital response services, most of which
rely on computer networks."
--------------------------------------------------------------------
------------  

This bill aims to increase protection measures against
cyberterrorists by  increasing funding for the security industry. 
Politicians say it will do this through increasing funding to
colleges and schools around the nation in the hope that they can
reduce the 'moron' side of the moron to expert ratio of computer 
security graduates.

How amusing that more than a year after the catastrophic events of
the WTC and  Pentagon attacks do we NOW find bills being put into
place to combat terrorism. Now it would seem that you don't have to
work for a terrorist organisation to be targeted by this bill.  It
seems that today if you hack any major corporation  or any kind of
government computer (regardless of its use and the information it
holds) you transcend from being "hacker" to "terrorist".  How is it
terrorism  when the only fear it inspires is from the story that
the government gives the  press?

Why would the government want to create fear?  Because catastrophes
are good for the economy.

--------------------------------------------------------------------
------------ "'We will have a synergistic outcome with catastrophic
results,' said Rep. Brian Baird (D-Wash.), who co-sponsored the
bill."
--------------------------------------------------------------------
------------  

I couldn't have said it better myself.  Once you get through all
the corporate  buzzword jargon here we get a sentence that reads
"The end result will be a co- operative effort towards
catastrophe."  If you create more whitehats then you  create more
advisories.  If you create more advisories then you create more 
0-days available to script kiddies.  When this happens the security
industry  makes more money, but more people are at risk.

It's like when an oil tanker bursts a leak and spills oil all over
the ocean.   It's sad for the animals, sure, but all the humans
profit.  The media gets money from covering the spill, scientists
get money for taking care of the animals and then they get more
funding to come up with some new technology "for next time",  if
there is a fire then the ppl who put out that fire get paid money,
if there's a terrorist involved then the CIA gets money to track
them down, the list goes  on.  With everyone getting paid lots of
money they can afford to buy more stuff. And people buying more
stuff means a greater purchasing power for the State,  which
ultimately improves the economy's power in international trade.  

The last thing this world needs is more dolts working for the
security industry because its these idiots who create the oil spill
in the first place.  What we  DO need is to redesign the current
system to remove vulnerability information  from the eye of the
general public... to avoid a "next time" as much as  possible. 
Sure it makes money, but releasing more oil (advisories) into the 
ocean (community) does not make for a healthy environment
(security).  

The other article I looked at was one on news.com, entitled "House
considers jailing hackers for life".
[ http://news.com.com/2100-1001-965750.html?tag=fd_top ]
What is this one all about then?  Well it seems to be the
government's feeble attempt at threatening hackers who could be
labelled as terrorists.  Declan McCullagh writes:

--------------------------------------------------------------------
------------ "CSEA expands the ability of police to conduct
Internet or telephone eavesdropping without first obtaining a court
order, and offers Internet  providers more latitude to disclose
information to police."
--------------------------------------------------------------------
------------  

Australia has seen a similar thing happen with ASIO's authority in
the past year or so.  In April, The Australian ran an article by
Kate Mackenzie about deals  between law enforcement agencies and
ISPs.

--------------------------------------------------------------------
------------ According to sources within the ISP industry, who did
not wish to be named,  various law-enforcement agencies were
working directly with large ISPs to  formalise the storage and
delivery of data, particularly real-time  communications of
suspected individuals. 
--------------------------------------------------------------------
------------  

It is the government's hope that they can combat cybercrime by
increasing  surveillance measures and the penalties for hacking. 
THIS WILL NOT WORK.  The majority of cybercrime comes in the form
of script kiddies, and employs those  exploits that have been known
about for ages.  The whole reason why script  kiddies are attracted
to cybercrime is because of the "bad boy" label that they are
branded with by their peers.  So increasing the penalty for
'hacking' will only serve to increase the fame of script kiddies
among their peers, causing  more people to jump on the moron wagon
in their course of seeking popularity.  

"I could get jailed for life" will become a trendy pickup line in
high schools  across the nation.

If you want to combat cybercrime then you have to remove the
information flows  to script kiddies.  Since it takes no great
genius to be a script kiddy, this  needs to be achieved by using
non-disclosure when it comes to the public at large.

IT IS AN IDIOT'S LOGIC TO WAIT UNTIL THE SCRIPT KIDDY HAS DONE THE
DAMAGE BEFORE WE DO ANYTHING ABOUT IT.

Anyone who tells you otherwise is out for the profit.

--------------------------------------------------------------------
------------ So to summarise:

* The government is moving to increase funding for the security
industry to  
  increase the whitehat population.
* The government thinks it can combat the associated increase in
script kiddies 
  (from the increase in advisories, resulting from the increase in
whitehats) by 
  increasing penalties for hacking.
* If we're going to stop script kiddies we need to eliminate them
from the  
  advisory system.
* Removing script kiddies from the security industry means
employing non- 
  disclosure mechanisms.
* Waiting for the damage to be done before we do anything about it
is poor  
  security sense.


I leave you now with a quote from .fred:

"If your hat is black, stay black and keep your mouth shut. If your
hat is white put it proudly on your head, and jump out a 6th story
window grabbing a hold of as many skript kiddies as you fall."


<3 sockz
-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

_______________________________________________
Full-Disclosure - We believe in it.

Charter: http://lists.netsys.com/full-disclosure-charter.html

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPdjhcUP0lBKBG8xoEQLDGACdF3VS1ZZrRAfCRr1T4/htIClhpz4An1Jg
HH575J2EDmvoAdiSb4lFUeA0
=vv47
-----END PGP SIGNATURE-----

Attachment: Euan Briggs.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: