Re: A Challenge

From: Chet Uber (eidetic@mindspring.com)
Date: 12/23/01 

From: Chet Uber <eidetic@mindspring.com>
Date: Sun, 23 Dec 2001 12:31:15 GMT

> >> Paranoia
> >> ---------
> >> "Let's get all the best hackers in one place and see if we can arrest
> >> them (or at least scare them or somebody) with this new anti-terrorism
> >> law (friends close, enemies closer)".
> >
> >Actually only criminals get arrested. It is not a crime to be a hacker.
> >We are looking for trained attackers. People that break into systems for
> >a living, or protect them for a living. Also, While a good number of
> >those involved spend time training LE, this is NOT A GOVERNMENT event.
> >The government does not sanction public attacker|defender events to my
> >knowledge. They could request the event data for research purposes
> >though.
>
> This section is called paranoia. If the FBI wants to profile
> techniques, the results would be a good database.

Yes it would be a good start. And paranoia is a great tool to have in
information security.

 
> >If you are a criminal, then it would be pretty stupid to show up. If you
> >are a hacker then I don't see what the problem would be. We don't check
> >for mafia decoder rings or anything at the door, we just don't want any
> >trouble makers and you do you to register etc. The problem with criminal
> >hackers is not for the scientists to monitor and police, it is the
> >police. Please note that there will be a number of those types about
> >taking various training.
>
> Unfortunately, public opinion currently equates hackers with
> criminals as a result of the popular media. I do my part; tell
> people just what I could do, and then explain I feel it's unethical,
> or wrong; but often as not, I'm viewed with more suspicion afterward
> simply because I know what's required. I understand about police
> presence. I sometimes get them at my door asking me questions.

Yes this is far to pervasive. It is the norm. It is wrong. See other
post. Thank you for doing your part! Now if everyone would follow that
lead ...
 
> Realistically, however, the only reasons I won't go are time and
> money.

Where there is a will there is a way. Don't get me wrong, I understand
the crunch of both factors and am feeling them know.

> >> "Let's get all the best hackers together to troubleshoot the new system
> >> to see if it works, and teach us what we have to do to make it better
> >> (smoke and mirrors)".
> >>
> >> (btw, yeah, this is my first post in any of these groups. I may as well
> >> get it over with all at once)
> >
> >There is no system to troubleshoot. We didn't design some new security
> >scheme. We are simply trying to collect data on a specific type of
> >event. Please refer to other posts in this group for some more detail.
> >Also, we have no interest in learning how to secure operating systems
> >that are insecure in the first place.
>
> So it is a "smoke and mirrors" event, and it's up front about it.
> Good. This gives it some credibility. I will be looking over other
> posts. (It occurs to me I may not be clear: Smoke and Mirrors:
> There is no claim to have reached perfection, only an attempt to see
> certain events happen, perhaps to verify a certain plateau has
> actually been reached.

Yes your clarification helps, because generally smoke and mirrors means
that something is not real; and almost always has a negative
connotation. It is definitely not someone trying to prove a system is
secure by banging on it. In the Information Systems Assurance class I
have been involved with, "security by hacking challenge" was exposed for
the fallacy that it is.
 
> >Personally, I have never figured out how a world that at one time had
> >MULTICS ever settled on Microsoft. It is the old BETA versus VHS issue,
> >except in this one, the only loss WAS NOT a companies profits, it WAS
> >the security of our countries cyber assets. In the name of profits in
> >the greedy 80s and .com 90s we deployed tons of completely insecurable
> >systems. (I know that there is no such thing as a 100% secure system,
> >but that is not the point.) We continue to do so to this day. We think
> >we can now patch our way to salvation, and it just isn't so. I tell
> >clients and students that it is like putting a coat of candy apple red
> >on your car, knowing full well you are going to drive it headlong into a
> >wall at 140.
>
> LOL! Marketing. That's why airbags sell isn't it?

Ugh. I know.

 
> >Locking down systems is a checklist type function. This is not rocket
> >science. Problem is, you are doing it on a global network with sharing
> >designed in; and inherent security problems that will not go away.
> >Problem is that even when they are locked down the OSs are still
> >vulnerable. For example, the SANS/FBI Top 20 list is all well in good,
> >in that it reduces the overall risk; but new vulnerabilities occur
> >because the systems have inherent problems that allow new ones to occur.
> >The fact that there are still buffer overflows speaks loads to the state
> >of the modern OS. (And then there was XP. Gag. yeah right.)
>
> I fell out of my chair when the CERT advisory came in my email about
> XP. I'd just installed 2000 on 3 new machines, and people were
> asking me why. Now I have to go "patch" a remote network, except for
> one PC, one of the 3 I'd finished.

I have come to expect nothing but the least from Microsoft security
efforts. They just lost the one decent person they had to the national
homeland security effort. I shutter to think what will be next.

 
> >Sorry for the digression, I just figured maybe if I talked about our
> >intent it might shed some light.
>
> It does. I hope my conclusions are accurate.

Yes they are.

 
> >Welcome to the "World of USENET!" Your first post was a fine one. :)
>
> My first post in a reputible group (I'm at home; different
> personality set up just now. Somewhat obfuscated headers, but clear
> enough). I've been learning in some of the seedier sections for a
> few years, and have grown tired of questions about hotmail and "just
> wanting to play a joke on a friend"

Kewl.

L8r

eidetic 

--

Chet Uber, Senior Advisor
SecurityPosture
7660 Dodge Street, Suite D
Omaha, NE 68154
vox +1 402.498.2673 fax +1 402.391.3906 cell +1 402.671.9720
eidetic@mindspring.com	http://www.securityposture.com

If you are not the intended recipient be advised that you have received 
this email in error and any use, dissemination, forwarding, printing or
copying of it is strictly prohibited. It is the responsibility of the
addressee to scan this mail and any attachments for computer viruses or
other defects. The sender does not accept liability for any loss or
damage
of any nature, however caused, which may result directly or indirectly 
from this email or any file attached.

----------------------------------------------
"We Break Things to Make Them Better"
(c) 2001. Chet Uber. All Rights Reserved.
----------------------------------------------

Quantcast