Re: Question. (Was re:hacker's intro)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: owner-ids@uow.edu.au: "I'm with Gene"
• Previous message: J.R.Valverde: "Re: Former Hacker's Intro"
• In reply to: Fred Cohen: "Re: Question. (Was re:hacker's intro)"
• Next in thread: owner-ids@uow.edu.au: "I'm with Gene"

1) There are people on this list (and on other lists) who seem to
think that anyone managing a Unix system is a security professional.
Many of those people think that a cracker's mindset is special, and
crackers' techniques useful.  They are mistaken, but do not have the
experience to understand it.  This is not an issue we can resolve in
this mailing list.

2) There are people on this list who espouse views such as:

> I was just wondering who you thought found any of the holes in the first
> place? It sure as hell isn't down to all you so called security consultants!

...as if it was our jobs to find all the bugs in distribution software
for someone else.  Yeah, right, in our spare time.

I dare say that if you were to pay Fred Cohen and myself and other,
similar professionals our going rates and asked us to comb through a
distribution version of a system, we'd uncover many (and maybe most)
of the holes and problems.  However, that takes time, effort and
money.  That's why those systems are shipped with the holes in them --
it takes too long and is too expensive for the vendors to find them.
Instead, it is cheaper to ship them and respond to the holes as they
are discovered.

Of course, if you hired one of us as professional consultants, we'd
also help you review (or write) a formal security policy, do a risk
assessment, do a physical site review, test alarms and physical
controls, coordinate spot personnel audits, institute an awareness
program, update business continuation plans, spot-check data recovery
services, review liability exposures, and a whole lot of other things
that are critical to good security -- we realize that the majority of
losses at most sites come from insiders abusing the system, not from
ankle-biters off the net.  If you think someone whose major
recommendation is that he or she knows how to come in from the
Internet to install a password sniffer and exploit a race condition on
Unix is therefore somehow well-suited to protect your site, well, you
may deserve what you get.

3) As someone who has discovered lots of flaws, I can tell you that
discovering them and getting them fixed is a far different and more
private pursuit than exploiting them or blasting details out to
mailing lists.  The fact that you don't hear about them being found
and reported doesn't mean it isn't happening.

4) This whole thread is getting far afield of IDs.  I already dropped
my subscriptions to several other security mailing lists because they
had a high noise level from people who had installed "crack" and
"COPS" and thus decided they were security experts. Please let's not
let that happen to this list too?  Can we please go back to intrusion
detection as a topic?

For instance, let's get back to the fact that more than 75% of system
abuses in typical commcercial environments comes from insiders.  Is
anyone looking at what is different about these insiders that can be
detected or monitored?

--spaf

• Next message: owner-ids@uow.edu.au: "I'm with Gene"
• Previous message: J.R.Valverde: "Re: Former Hacker's Intro"
• In reply to: Fred Cohen: "Re: Question. (Was re:hacker's intro)"
• Next in thread: owner-ids@uow.edu.au: "I'm with Gene"