Re: [fw-wiz] concerning ~el8 / project mayhem

From: Paul D. Robertson (
Date: 08/17/02

From: "Paul D. Robertson" <>
To: "Marcus J. Ranum" <>
Date: Sat Aug 17 20:04:01 2002

On Sat, 17 Aug 2002, Marcus J. Ranum wrote:

> in the past. If you're a true white hat, you're not replete with
> hacking technique and you're not the kind of guy who can whip out
> a tool to crack into any website any time, or whatever. UNfortunately,

I'm not sure I totally agree with this premise- I think I couldsit
and find and code exploits on my test network if I had the time. I most
certainly could run the kiddie tools, and let's face it, there isn't
really all that much to "hacking technique" until you start to get into
really sophisticated stuff- finding overflows and races is certainly
doable if you're completely clean- you just have to do it on your own

> have that kind of problem with thier customers...) So you have to
> either become a repository of hacking technique yourself, totally
> steer clear of hacking technique, or have friends who have the

If you're looking at the currently exploited vulnerabilities (kind of the
"Wild list" in the attack space) then you don't really need to code your
own tools- you may end up messing around with offsets, fixing purposefully
broken exploits, etc. - but it's not all that difficult...

> hacking knowledge who can step in every so often and back you up.
> So, unfortunately, because our customers have been media-trained
> and hacker-marketed to be stupid* many security professionals
> are now in the situation where they feel they can be embarrassed
> if their hacker buddies get pi*sed off at them and the well of
> information runs dry. I managed to get over and around this problem

I think the biggest trouble with the current scenerio is that many, many
customers don't understand that you don't *need* the attack tools to mount
an effective defense, nor to tell what's wrong with the current one. I
think even vulnerability scanners are mostly a waste of time.

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation