Re: [fw-wiz] Re: Ethics, morality and the industry
From: Mark Teicher (mht3_at_earthlink.net)
To: "Paul D. Robertson" <firstname.lastname@example.org>, Paul Foster <Paul.Foster@dmtsystems.net> Date: Fri, 29 Oct 2004 14:18:39 -0400 (GMT-04:00)
Actually there is difference between Frank Abigale and Mitnick. After serving a portion of his time, Frank Abigale went to work in designing systems that are currently in use today. Mitnick, on the other hand, has not contributed at that scale to help improve any of the systems he supposedly broke into it, except to jump start a fledging security industry in taking an interest in the types of ways Mitnick was successful in defeating the security systems in place at the time. The Telecommunications providers have yet to make all the recommended security improvements that allowed Mitnick to accomplish what he did. Let's take a look at other people who suffered the same sort of fate. Intel vs Randall Schwartz (1993), Randal spoke at SANS a while back about his case on "What not to do as a System Administrator". It was a very good talk, getting back on topic, having former criminal speak at conference is not a crime, and they should be rewarded for it, and there should be big statements, like this speaker's honorium/fee is being collected to pay restitution to their victims.
From: "Paul D. Robertson" <email@example.com>
Sent: Oct 29, 2004 1:16 PM
To: Paul Foster <Paul.Foster@dmtsystems.net>
Subject: Re: [fw-wiz] Re: Ethics, morality and the industry
On Fri, 29 Oct 2004, Paul Foster wrote:
> > To my mind the issue is that he's still *profiting* from his crimes.
> > That doesn't do justice to the victims, nor does it send the right message
> > IMO. Crime should not pay.
> How so? He talks about how he would exploit security systems, and this
> is his area of expertise. The guy spent many enjoyable years in jail
> (on his knees?) which does not sound like 'crime pays' to me.
It's also his area of criminality. That's not a good message- there are
*plenty* of good guys who have the same expertise who haven't created
victims who can give out the same information.
It worries me socially that the royal we tend to put these folks on
pedestals when they're nothing more than confidence tricksters who have no
special information or skills.
> > I think that the fettering should include profiting from whatever badness
> > the person did- hey, if he was lecturing on IPv6 security, then I don't
> > see as much of an issue.
> Perhaps he doesn't know squat about IPv6. If we prevent him from
> legally earning a buck on issues he does know, we could inadvertently be
> encouraging use of those skills illegally.
IMO, society would be better served if we *really* rehabilitated them.
Having them stand up in front of people and proclaim how great they were
when they were doing illegal activities seems to run counter-productive
to that to me.
He doesn't know squat about IPv6 because we're letting him cruise on
notoriety rather than making him go get a real job that doesn't profit
from his criminality. And yes, if he's so bent on doing wrong than on
doing the right thing, then let's let him commit more crime, and lock him
up again- because that means he's not reformed and shouldn't be out of
> > I hope that in the future, CSI chooses its keynote speakers more
> > carefully.
> Should we bury our heads in the sand and not learn from people like this?
You can learn all there is to learn without paying them princely sums and
celebrating notoriety. There's both more value in what Howard Schmidt and
Bill Murray say than in what Abignale and Mitnick say, and a better
overall message for the industry and society to send by using them.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list
firewall-wizards mailing list