Discussion on:

Dark Tangent: New advisor to the Department of Homeland Security

Getting recognition that IT security needs to have a say in homeland security is good thing.

Is an ex-hacker the best choice for this esteemed position? Or will having that type of reputation affect the way his opinions are regarded?

you need someone in there that knows the reality of network security, and who better than an ex-hacker.

No one.

Assuming he can be trusted, and that kinda goes for everyone, who can you trust?

But what about security types that understand defending against hackers?

and I do not discount their talent, but more heads looking at the problem and from different angles is going to bring more ideas and answers to the table.

Again, can you trust a hacker, yes, no and maybe. But if the hacker is on your payroll you do have some control and it can bring a load of insight and knowledge to your security equation.

Ah, but there is that trust thing working in the background.

A tough question for sure.

How does one know? You may have heard about the couple that was spying for Cuba. They were model citizens according to everyone that knew them.

Jeff Moss, as you mentioned in the article, has a habit of living on both sides. I don't think he has scruples or morals, and freely shares information from the black side with the white side and vice versa....sort of a double agent.

Working with people that do that is very dangerous, and you cannot trust them...ever.

That his main interest was in phreaking in the early days. Yet, he is involved in the two biggest hacking conferences in existence.

Politicians are not exactly the trustworthy types either. Just when they are double agents, we call it flip-flopping.

They might eat him for lunch though.

in fact many very knowledgeable IT types consider it an insult to associate it with criminal cracking (my term).

I considered myself a hacker for many years.

We've had chats (Chad's articles) about this before and it seems that the term has hacker has been totally subverted by the media.

Agreed. I work for a college and in the IT courses, we teach the difference between hackers and crackers. Far too many people associate hackers as the bad guys because of the mainstream media.

Which college are you referring to? Sorry, I'm the curious type.

i,ve not attended black hat, however at my 1st defcon last year. so much information was passed it was dizzying, i felt like comming home and unplugging all of my equipment. all to say with his experience and given the amount of exploits, neglect or just good old ignorance. i am happy he is on our team. cant wait for this years defcon.

I haven't been for awhile and would like to go this year but may not be able to. You are right the learning curve is tremendous.

on January 5, 1919, Anton Drexler, sent Hitler, a corporal at the time, to investigate the German Workers? Party. As a result, party members invited him to join after he impressed them with the speaking ability he displayed while arguing with party members. Hitler joined the party in September 1919, and he became the propaganda boss. The party was renamed the National Socialist German Workers? Party on February 24, 1920, against Hitler?s choice of Social Revolutionary Party. Hitler ousted Drexler and became the party leader on July 29, 1921.

Although Adolf Hitler had joined the Nazi Party in September 1919, and published Mein Kampf (?My Struggle?) in 1925 and 1926, the seminal ideas of National Socialism had their roots in groups and individuals of decades past. These include the V?lkisch movement and its religious-occult counterpart, Ariosophy. Among the various Ariosophic lodge-like groups, only the Thule Society is related to the origins of the Nazi party.

The term Nazism refers to the ideology of the National Socialist German Workers? Party and its Weltanschauung, which permeated German society (and to some degree European and American society) during the party?s years as the German government (1933 to 1945). Free elections in 1932 under Germany?s Weimar Republic made the NSDAP the largest parliamentary faction; no similar party in any country at that time had achieved comparable electoral success. Hitler?s January 30, 1933 appointment as Chancellor of Germany and his subsequent consolidation of dictatorial power marked the beginning of Nazi Germany. During its first year in power, the NSDAP announced the Tausendj?hriges Reich (?Thousand Years? Empire?) or Drittes Reich (?Third Reich?), a putative successor to the Holy Roman Empire and the German Empire).

I remember reading Mein Kampf in high school and was proud of myself as it was a complicated and convoluted book.

That said, I'd love for you to explain what you were trying to express. I must apologize, but I'm not seeing your point.

if you're paranoid.
I'd rather have Jess Moss on our side than him working for the opposition.
Besides, with him signing all sorts of forms to the effect of "leak this & it's treason", do you REALLY think he's likely to go giving info away to all & sundry?
I think not.

And this applies to hacking how?????????????????????????????????????????????????????????????????

and besides - the electorial college has prevented this sort of thing despite what the popular press reports.

Any student of western history can see that.

That someone who actually has a clue about cybersecurity will potentially be advising those who are are making decisions and policies on cybersecurity.

As well. It says something about what happening in Washington.

I have more confidense in those two organizations than congress as a whole! At least they seem to be open about their shenanigans. More than I can say about our government.

Not very complimentary of our system, but none-the-less, my feelings on it.

how much effort the govs put into defending networks versus how much effort they put into creating ways to attack networks. And watch for abuse, or remission of current abuse. And stay alert for mission creep (actual, or pre-planned).

[Gee, I miss hanging in the forum.
Hi Michael and JC.]

We miss you too. If the reason is that your busy working that's a good thing.

I'm concerned about the infamous "mission creep" as well. Lots of security experts are thinking that the focus on cyber security is not going to be effective, just because it's being attempted by the government.

Long time no seeum!! Good to be busy though Huh!?

whos the criminal here? The guys who wrote the code that allows all the holes or the guys who subverted it. As soon as we say hacker the evil is implied but perhaps the writers could use a few hackers working for them. The best way to understand the enemy is to hire him. Just ask the CIA.

When we started accepting buggy code as the norm we lost that battle.

those organizations; but that is just the nature of secrecy - I suppose. Not that I'm resigned to it - we just need to fear less, so we don't have so many gov't spooks with too much time in their hands!

A really stressfull job. I certainly know I couldn't function in their world. I'd have ulcers on ulcers.

I hope my paranoia doesn't rub off onto you and cause undue stress! I seem to thrive on the malware game! =)

While I am in school looking to formally study Computer Security I am far from an expert. But I do feel I understand the person you referred to. It seem me to be one who looks for ways to challenge oneself. I looks crazy but some chess players will play themselves in a chess game trying to find ways around their own strategies. If I am right he would think this to be a great new way to challenge himself.

Besides if what seam to be a threat to him is also a threat to HLS it seam they would be allies as long as the threat is real yes?

I'm glad you're on 'the other side of my screen', pointing out to me the things I miss, or don't notice due to my daily responsibilities.

I think it's about time something like this happened at a 'high level', too. I'll be watching to see just how this goes...

Thanks again, Michael!

etu

So you need to tell me what you think. Is it a good thing to give an ex-hacker that kind of influence?

I think it's a good thing.

I'm no 'geek', but I do see that there exists a category of people that are clueless as to just what and how much of that what can go wrong with being connected the way we are in our time. I tell my students about the 65,000+ communications ports on their computers and their eyes glaze over. To me, that's 65,000+ points of egress into my life.

If he can get that across to the people who need to know, with a good level of shock value for those who might still not 'get it', more power to him.

If you would do great good, master greater evil. How do you locate the former in any way other than the latter? Nor cleave to either.

I really like your comment, now I have to figure it out.

In Japanese 'Sensai' is roughly translated as 'One who has walked the path before me' or 'One who has gone before.'

If you look over some of the editorials at attrition.org you will find the experts who have never walked the path being lambasted. All these experts who have never walked the path mostly do not know anything and are not able to a lot of creative thinking; it has been leached from them by their expertize. Like martial arts, if you want to be effective you must move away from the dojo and the pretty kata's into the real world where losing means dieing. You do not necessarily have to talk the talk, but you have to walk the walk!

Here you are speaking of national security, losing means dieing. What do you want: someone who cannot walk the walk but has the alphabet soup behind his name, or someone who has walked the walk and knows how to handle many situations in his sleep and can creatively think about new situations?

Me? If I were looking to secure a building I would hire a burglar to analyze the physical structure and entry paths and not some wanna be security expert.

If the person has a criminal record, so what. If he has done his time, your depriving him of an opportunity to better himself and usefully contribute to society may drive him back into what he came from. Now you are stuck with the situation of the real expert facing the wanna be expert. Who do you think would win? Having a criminal record or being a REAL hacker, rather than a script kiddie, has nothing at all to do with national allegiance and security expertize. Allegiance and expertize are what the job is about. Get the best!

sometimes when you hire a thief, you just make it easier for him to get your goods... not saying that people can't mend their ways and do what is right, but that is not the path most take.

The hard part is getting and keeping trust after it has been broken. I don't have any good answers on how you do that.

I think in this case it is simpler.
Normally you start out with individuals that are supposedly trustworthy and do not pay special attention to their actions until they prove otherwise.
In this case it is someone whose trust is questioned and you know you need to watch closely.
I say give him free reign while listening and learning from his advice while never letting him out of your sights.

Oh yeah don?t forget that he is probably smarter than you and if you turn your back on him or stubbornly resist his advice he will make you look like an @$$.

Engrossed in the smaller, he has no time to be smarter in the larger.

Defcon and BlackHat? Should he disassociate himself from those?

Yes, he should. If he is going to work on the government side, he must. He, or a colleague can go gather information, but to be a speaker is to operate on the opposite side...if he were try to convince them to change their ways, he'd be ignored or jeered at, and not asked back. Most of the people at these conference revel in their black hat side...they enjoy being known as either operating illegally or using civil disobedience.

The flip side will occur as well, where the hacker community may view him differently as well.

some IT security folks look to Defcon and Blackhat for research on how to avoid being pwned.

Not everyone looks at this individual as a crook. Phreaking was an early stage of experimentation by curious novices at the start of the net.

The only way you could judge your effectiveness was to get into trouble, back in those days. Kind of like juveniles with nothing interesting to do, pulling highjinks. However, I'm not familiar with his past.

Absolutely not! The Fed's attend not only to learn but to get to know some of the competition. In fact, one of the favored activities is the "Identify the Fed" game.

Your hacker is part of a larger group and his knowledge is part of a larger community. Depriving the individual of this community would be to deprive him of a knowledge that would exceed hos own. As was said earlier, watch the individual and learn from him.

Jeff Moss mentioned that he would now have an advantage in that contest being in Washington more.