At 09:42 PM 2/13/96 +0000, you wrote: >I was just wondering who you thought found any of the holes in the first >place? It sure as hell isn't down to all you so called security consultants! >We use hackers in tiger teams because they use unconventional methods. How >many of you would go trashing or try some social engineering to gain access >to a system? >I'd guess close to none.. In any tiger team assignment our consultants use *all* those techniques including trashing, social engineering, physical intrusion, etc. There are, however, fewer tiger team assignments for us than analysis assignments. The punishment, so to speak, should fit the crime. It is not appropriate to use those techniques if the assignments don't justify or include the requirements. >How many hackers......more like *all* >System security is much more than applying patches.....it requires a >pro-active approach...password's are a good example. >How do you know your password's are un crackable? Answer, try and crack them >yourself! There is a lot to be learnt from hackers because however secure >you think your system is they *will* find a way in! I can't imagine any security professional *not* recommending that passwords be cracked periodically to ensure that users are employing strong passwords. This is not the hacker's sole perogotive. There is an interesting point emerging here that may possibly be far more on topic for this list than the childish carping about the morality of this "reformed hacker". What, exactly, is the consultant's role in helping the client: A)respond to an intrusion, B)prevent an intrusion and (most on topic) C) detect an intrusion in process and respond? As a consultant for over 15 years, I confront that constantly. Even though none of my staff includes convicted crackers, there isn't one of my senior consultants, myself included, who isn't a "hacker" in the traditional (pre-media hype) sense. In fact, I wouldn't dream of hiring a senior consultant who didn't fit that profile. The ability to perform a good hack is a job requirement for serious security consultants. Otherwise, the consultant isn't good for much beyond writing sterile policies and resetting forgotten passwords. Clients expect that a security consultant can understand and manage the same technologies that the bad guys use against them as well as the more mundane issues of security architectures, policies, standards, risk assessment, etc. A year ago we did relatively few intrusion tests. Today we do them regularly. We also have formalized structured test procedures that we also use. It all depends upon what the client wants. But, if called upon to do so, we can mount a "hacker attack" with vigor, skill and effectiveness. I don't think I would trust a convicted criminal on such a team, but, given appropriate supervision and controls, I'm not sure I wouldn't. I've never faced the question in a real situation. --P Peter Stephenson, Division President, InfoSEC Technologies division of Sanda International Corp. Headquarters Operations Center 401 Pinehurst Drive 590 Lipoa Parkway Ste 208 Rochester Hills, MI 48309 Kihei, Maui, HI 96753 (810) 650-2699 phone World Wide Web: http://www.versalink.com pstephen@versalink.com