"There is one explanation - careless, lazy administration."
The same could be said of any other OS. The patches for open source may arrive quicker than for single-source proprietary code, but the principles are the same.
Discussion on:
View:
Show:
Whether it's an admin being careless and not updating their software thus allowing a botnet to come in, or whether it's an ignorant end user with unpatched software that gets a botnet infestation, the reason behind the infestation is the same. The difference is that, if the infected system is Linux, it gets blamed on the user. If the infected system is Windows, it gets blamed on Microsoft.
Web servers Linux-based? If so there are a lot more compromised Linux servers than just those C&C servers. It's the bad guys' best bet now of getting malware unto a victim's computer.
Is so dubious to me. I'll admit, it is clear that a large segment of the Web is serviced by Apache based systems. I suppose that it may simply be a case of "picking the low hanging fruit" first. For the longest time, even if there *were* less IIS servers, for a variety of reasons, it was easier to harvest them and leave the Linux/Apache servers for the birds.
I think one truth that we're stumbling onto here is that these hackers are not driven by credibility and fame like old-school hackers. This new breed consists largely of Russian organized crime and other groups driven by monetary and ideological motivations. This follows so close on the heels of the revelation of the Russian networks paying $.43 per infected Mac, that it is clear that the Russian criminals, at the very least, are testing the waters to see if they can be profitable exploiting these platforms. If it turns out that they can be, except to see this kind of thing become more common. I'd say that they're testing the market viability of this business model (expanding out from solely targeting Win32 platforms) with limited trials currently, if I had to guess.
The other possibility, as you suggest, Michael, is that this is just the tip of the iceburg. But I don't think so. Along with the Mac thing, this seems like "test market" logistics, to me.
I think one truth that we're stumbling onto here is that these hackers are not driven by credibility and fame like old-school hackers. This new breed consists largely of Russian organized crime and other groups driven by monetary and ideological motivations. This follows so close on the heels of the revelation of the Russian networks paying $.43 per infected Mac, that it is clear that the Russian criminals, at the very least, are testing the waters to see if they can be profitable exploiting these platforms. If it turns out that they can be, except to see this kind of thing become more common. I'd say that they're testing the market viability of this business model (expanding out from solely targeting Win32 platforms) with limited trials currently, if I had to guess.
The other possibility, as you suggest, Michael, is that this is just the tip of the iceburg. But I don't think so. Along with the Mac thing, this seems like "test market" logistics, to me.
Don't forget how many times MS has not acted on exploits they were warned about. Don't forget how much time went by on some of them. Linux obviously isn't bullet proof. But it isn't bullet ridden, either...
The fact MS has not acted on exploits has nothing to do with this.
If Windows is administered correctly without lazy practices that are too often seen, then it too can be secure.
Searching for patches, downloading and testing them and then deploying them is a critical part of an admins day but how many people take that job as seriously as it should be?
If Linux goes wrong or gets hacked, the user is lazy. If the same thing happes to Windows, its a poor product!!
Searching for patches, downloading and testing them and then deploying them is a critical part of an admins day but how many people take that job as seriously as it should be?
If Linux goes wrong or gets hacked, the user is lazy. If the same thing happes to Windows, its a poor product!!
I agree ... anyone on any OS who uses unsecure external access mechanisms such as ftp, telnet or any other cleartext remote login facility (all r type commands) is asking for trouble, even on internal systems not linked directly to the internet (some employees who know enough to be dangerous are the ones you have to be careful about).
This is the first thing to do when I install a server and better yet installations should be scripted so that you don't *forget* to do these types of standard install configurations on all your server builds.
The bigger issue is sometimes after installation, no one ever goes back to ensure that systems still comply with the your standards. Someone may have patched a server and used an insecure method temporarily move patches to the server and forgot to turn it back off (still a lazy admin issue, since there should be secure methods in place to do this - ssh for unix), and in this day and age there is NO SUCH THING as 'install and forget'. If you dont catch it, I hope your security person/department will ... you can bet your job that hackers will!
Any technology can be made to look bad on the account of bad administration. Look at the example above, the person is attempting to install patches (which will likely include security patches), but then leaves the door wide open afterwards ... good intentions, good technology ... bad administration!
This is the first thing to do when I install a server and better yet installations should be scripted so that you don't *forget* to do these types of standard install configurations on all your server builds.
The bigger issue is sometimes after installation, no one ever goes back to ensure that systems still comply with the your standards. Someone may have patched a server and used an insecure method temporarily move patches to the server and forgot to turn it back off (still a lazy admin issue, since there should be secure methods in place to do this - ssh for unix), and in this day and age there is NO SUCH THING as 'install and forget'. If you dont catch it, I hope your security person/department will ... you can bet your job that hackers will!
Any technology can be made to look bad on the account of bad administration. Look at the example above, the person is attempting to install patches (which will likely include security patches), but then leaves the door wide open afterwards ... good intentions, good technology ... bad administration!
Of patches, upgrades, and fixes into production environments *break* production environments.
Which is why enterprise class shops have multiple different development, test, and preproduction environments before production, and regression test critical patches throughout those environments before applying in production. This is also why these organizations have change control processes and boards. Immediately patching in all but the most CRITICAL of security scenarios is not generally the best course of action.
So I disagree that "There is one explanation - careless, lazy administration" is the sole answer when a Linux system becomes comrpromised.
If Linux was the ONLY OS platform available, only Linux systems would be compromised - and the odds are, "inheriently secure" or not, the exploits would roughly mimic the metrics and patterns that we see in Win32 systems today. Statistically speaking, as you grow the number of installed machines, for *whatever* reason, you're going to see the same patterns emerge in any similar "ecosystem". Somewhat like parallel evolution, or parallel invention - it is such a fundamental part of natrual processes across... across *existence* - that I don't see how people can live in denial of it. There might be minor differences, but the overall outcome will stabilize to be the same.
The will to denial in cases like this amazes me - that people like Jack W. are *so* personally, emotionally invested in their choice of OS that they'll come up with elaborate excuses to defend the OS.
To wit, "When expoits happen to Windows machine, it isn't the users, it is an evil, souless, corporate giant who simply doesn't care about anything but profits".
But
"When an exploit happens to Linux, it isn't the OS, which is flawlessly designed, it is incompetent lusers who didn't RTFM!"
I guess I'm not surprised. We've had this argument before. When Linux is found wanting, it is inevitably blamed on "user error". Having trouble setting up WiFi on Ubuntu 8.04. You should be reading a billion threads to discover that the easiest solution is to use NDISWrapper with your Win32 WiFi drivers rather than using the native drivers from the repository. This isn't the fault of Ubuntu being non-intuitive and poorly documented, this is the fault of the user being lazy. Nvida problems, ATI problems, Compiz problems? Same answer. "Maybe you're just too dumb to run Linux".
How about this... Maybe Linux is just too *difficult* to run?
"Heresy! A M$ Winblowz FANBOY! Get the stake and lighter fluid!!!"
Which is why enterprise class shops have multiple different development, test, and preproduction environments before production, and regression test critical patches throughout those environments before applying in production. This is also why these organizations have change control processes and boards. Immediately patching in all but the most CRITICAL of security scenarios is not generally the best course of action.
So I disagree that "There is one explanation - careless, lazy administration" is the sole answer when a Linux system becomes comrpromised.
If Linux was the ONLY OS platform available, only Linux systems would be compromised - and the odds are, "inheriently secure" or not, the exploits would roughly mimic the metrics and patterns that we see in Win32 systems today. Statistically speaking, as you grow the number of installed machines, for *whatever* reason, you're going to see the same patterns emerge in any similar "ecosystem". Somewhat like parallel evolution, or parallel invention - it is such a fundamental part of natrual processes across... across *existence* - that I don't see how people can live in denial of it. There might be minor differences, but the overall outcome will stabilize to be the same.
The will to denial in cases like this amazes me - that people like Jack W. are *so* personally, emotionally invested in their choice of OS that they'll come up with elaborate excuses to defend the OS.
To wit, "When expoits happen to Windows machine, it isn't the users, it is an evil, souless, corporate giant who simply doesn't care about anything but profits".
But
"When an exploit happens to Linux, it isn't the OS, which is flawlessly designed, it is incompetent lusers who didn't RTFM!"
I guess I'm not surprised. We've had this argument before. When Linux is found wanting, it is inevitably blamed on "user error". Having trouble setting up WiFi on Ubuntu 8.04. You should be reading a billion threads to discover that the easiest solution is to use NDISWrapper with your Win32 WiFi drivers rather than using the native drivers from the repository. This isn't the fault of Ubuntu being non-intuitive and poorly documented, this is the fault of the user being lazy. Nvida problems, ATI problems, Compiz problems? Same answer. "Maybe you're just too dumb to run Linux".
How about this... Maybe Linux is just too *difficult* to run?
"Heresy! A M$ Winblowz FANBOY! Get the stake and lighter fluid!!!"
Historically, effective attacks against Unix like systems have more often been social engineering or faulty system configuration. When the fault has instead been in the software code, it's been addressed fairly quickly. A fault beyond the control of the admin was found in Debian's OpenSSL and it was fixed right quick.
By contrast, effective attacks against Windows have often been social engineering and faults in the software. IIS could be configured fully by a competent admin but the buffer overflow being exploited was beyond there control. Could the admin or regular users configure the system against the nuke packet issue present in win98 for years? One can configured Windows to not store LM Hash values but one can't configure Windows to encrypt CIFS/SMB network traffic.
The myth about lack of popularity being the major contributing factor to the security of non-Windows systems ignores too much to be taken seriously.
I empathize with your grief over installing linux but that seems to really be a growing chip on your shoulder. Heck, had I an Eee, I'd have been right beside you with the same distro trying to replicate and solve your grief. Mandriva and Debian both took to my notebook and wireless like a fish to water. Both provided a simple taskbar icon utility to find and connect to wireless. Are network-manager-gnome or network-manager-kde not present in Ubuntu installs? They've made Debian networking a dream.
Edit; I missed your initial point in my response.
I agree that immediate patching is a bad idea and that development and testing environments should confirm it before the production environment is updated. When the vulnerability exploited is default passwords because the admin didn't bother to change them or use strong passwords; that's fully on the shoulders of the lazy admin who didn't do the bare minimum.
By contrast, effective attacks against Windows have often been social engineering and faults in the software. IIS could be configured fully by a competent admin but the buffer overflow being exploited was beyond there control. Could the admin or regular users configure the system against the nuke packet issue present in win98 for years? One can configured Windows to not store LM Hash values but one can't configure Windows to encrypt CIFS/SMB network traffic.
The myth about lack of popularity being the major contributing factor to the security of non-Windows systems ignores too much to be taken seriously.
I empathize with your grief over installing linux but that seems to really be a growing chip on your shoulder. Heck, had I an Eee, I'd have been right beside you with the same distro trying to replicate and solve your grief. Mandriva and Debian both took to my notebook and wireless like a fish to water. Both provided a simple taskbar icon utility to find and connect to wireless. Are network-manager-gnome or network-manager-kde not present in Ubuntu installs? They've made Debian networking a dream.
Edit; I missed your initial point in my response.
I agree that immediate patching is a bad idea and that development and testing environments should confirm it before the production environment is updated. When the vulnerability exploited is default passwords because the admin didn't bother to change them or use strong passwords; that's fully on the shoulders of the lazy admin who didn't do the bare minimum.
Listen, I ran Debian with that faulty SSH that was patched, but I didn't apply that patch for months, simply because I didn't *know*. You would move that into "faulty system config". But the same things generally apply to Win32 exploits. They don't stay open for months, days, or years, once discovered (and an undiscovered vunerability on Win32 is the same risk as an undisdovered vunerability on *nix... exploitable until discovered and fixed).
My point here, is that you're splitting hairs on your definitions in a way that allows you to candy coat exploits and vunerabilities in *nix while condeming them in Win32. The social engineering is universal, but the distinction between "faulty system configuration" (of a notoriously difficult to configure platform) versus "software code faults" (of a notoriously buggy OS code base) doesn't seem to make that much of a difference - other than it allows you to go, "if it happens to Linux, it isn't Linux, it is idiots using Linux". If all other things were equal, I would imagine in either case, you would end up with roughly the same footprint of "exposure" in Linux and Win32, based on these criteria. Of course, all other things AREN'T equal. Linux has a miniscule market share, Win32 has a huge market share, as just one example of why Win32 exploits are so much more common and widespread. Calling something a myth doesn't make it so - no matter how badly you want to deny the truth of security through obscurity.
I don't have a chip on my shoulder, in particular against Ubuntu. I run it on two of my machines. I'm *honest* in my apprasial of it - and my honest apprasial is that Linux is worth every penny I've ever paid for it - although it generally hasn't been a fair trade if I figure in the time I've had to invest. The Linux community in general is incredibly thin-skinned about any sort of constructive criticism against Linux or anything Linux related - but the fact remains, if I am a M$ fanboy, I'm one of the only ones that uses Linux (and other *nixes) on a regular basis.
Regarding where we're going to lay blame, I think the problem is, especially with the rising popularity of Ubuntu... if what I've seen around here is any indication - then the quality of Linux administration is going down the drain rapidly - and we're going to see a LOT more of this. When you combine something as notoriously difficult as Linux to configure with such emerging technical skillsets that people installing the OS barely understand the most common of technical principles... you're going to get a lot of poorly configured machines. It is ironic that for many years competent Win32 Admins have been defending the OS with this same claim - to wit, "it isn't the OS so much as all the idiot users". We'll see how the argument goes for the Linux crowd. God knows they're used to taking the lead from the direction of the Win32 market.
My point here, is that you're splitting hairs on your definitions in a way that allows you to candy coat exploits and vunerabilities in *nix while condeming them in Win32. The social engineering is universal, but the distinction between "faulty system configuration" (of a notoriously difficult to configure platform) versus "software code faults" (of a notoriously buggy OS code base) doesn't seem to make that much of a difference - other than it allows you to go, "if it happens to Linux, it isn't Linux, it is idiots using Linux". If all other things were equal, I would imagine in either case, you would end up with roughly the same footprint of "exposure" in Linux and Win32, based on these criteria. Of course, all other things AREN'T equal. Linux has a miniscule market share, Win32 has a huge market share, as just one example of why Win32 exploits are so much more common and widespread. Calling something a myth doesn't make it so - no matter how badly you want to deny the truth of security through obscurity.
I don't have a chip on my shoulder, in particular against Ubuntu. I run it on two of my machines. I'm *honest* in my apprasial of it - and my honest apprasial is that Linux is worth every penny I've ever paid for it - although it generally hasn't been a fair trade if I figure in the time I've had to invest. The Linux community in general is incredibly thin-skinned about any sort of constructive criticism against Linux or anything Linux related - but the fact remains, if I am a M$ fanboy, I'm one of the only ones that uses Linux (and other *nixes) on a regular basis.
Regarding where we're going to lay blame, I think the problem is, especially with the rising popularity of Ubuntu... if what I've seen around here is any indication - then the quality of Linux administration is going down the drain rapidly - and we're going to see a LOT more of this. When you combine something as notoriously difficult as Linux to configure with such emerging technical skillsets that people installing the OS barely understand the most common of technical principles... you're going to get a lot of poorly configured machines. It is ironic that for many years competent Win32 Admins have been defending the OS with this same claim - to wit, "it isn't the OS so much as all the idiot users". We'll see how the argument goes for the Linux crowd. God knows they're used to taking the lead from the direction of the Win32 market.
"
Listen, I ran Debian with that faulty SSH that was patched, but I didn't apply that patch for months, simply because I didn't *know*. You would move that into "faulty system config".
"
- Before patch availability, it's a software fault and the developer is responsible for the time until patch release
- After patch availability, it's an administrator fault and since we're talking Debian:
-- Before the patch; http://lists.debian.org/debian-security-announce/
-- After the patch; http://www.debian.org/security/
Same for any other platform, keep up to date with the bug reports and security patch announcements.
"
But the same things generally apply to Win32 exploits. They don't stay open for months, days, or years, once discovered
"
- The currently known and unpatched SSL vulnerability
- CIFS continuing to use a cleartext protocol
- autorun.inf finally getting patched last week after being known since Conficker got publicity
- how long was IIS wide open before they finally fixed that little joy
Microsoft is not the only company to ignore bug reports unless they embarrass the company enough to address them. Apple's "there is no fault in our TCP/IP stack and NIC driver" followed by a TCP/IP stack and NIC driver patch some six months later is another great example. It becomes more important to provide good GR images rather than admit to the bug and patch it quickly.
"
(and an undiscovered vulnerability on Win32 is the same risk as an undiscovered vulnerability on *nix... exploitable until discovered and fixed).
"
No one is suggesting blame for unknown vulnerabilities. The clock starts from the moment it's discovered and ends when a patch is available. The clock shifts to the admin once the patch is available. The clock stops when the server is no longer vulnerable.
It seems that breaches on windows systems tend to be through a vulnerability in the software. Bad configurations happen also but exploited bugs and design decisions behold the admin's configurable control make up a noticeable amount. Can I simply configure CIFS to use encrypted protcols? Was there a configuration that plugged the buffer overflows in IIS?
With *nix like systems, the breaches reported seem to more frequently be configuration related; poor admin passwords, lack of firewall rules, PHP config rules left active returning too much information, development only settings left enabled leading to cross site scripting. Software vulnerabilities happen but they don't seem to be left open as long.
In the case of the article which start this whole thing; FTP was used unencrypted and weak passwords where used (blank admin password I think actually) - that's not a fault in the administrator?
It's more a matter of all three categories; social, software, config. Social applies to all. Software is heavier on the windows side. Config is heavier on the *nix side. The difference is that administrators can learn to harden a config but they can't learn to compile a patch into a proprietary binary. Because of that, I consider software flaws to be worse than config flaws and patch times more critical a metric to look at.
"
"software code faults" (of a notoriously buggy OS code base) doesn't seem to make that much of a difference - other than it allows you to go, "if it happens to Linux, it isn't Linux, it is idiots using Linux".
"
Just encase it's not clear; it depends on where the fault is found. Was it in the software, was it third party software, was it the system admin's failing? Attacks against the notoriously buggy platform have been successful due to administrator controlable settings; config. I see the daily bug reports in the rest of the code base but the exploitable one's don't seem to remain usable long enough to gain widespread use. Thus, config is the larger threat to security on these systems.
If Linux based systems are of issue then we can look at security over the BSD side. Again, config errors are a larger threat than remote exploit bugs in the software. OpenBSD would be a heck of a baseline to measure the other platforms against for security purposes.
I admit that I can't agree on the obscurity angle. I'd rather put mechanisms in place and keep obscurity as an icing sugar dusting on top. What do I do when the obscurity advantage, being horrendously short lived, is gone. Great, so now they know I'm using MAC filtering on my wifi, what mechanism actually prevents them from connecting?
I'm actually very curious to see what distributions continue to hold up as they gain popularity. What distributions will continue short patch turn around. What distributions default config will hold up under the pounding. These are not limitations imposed by a third party (cough.. hardware..) so they are good metrics to look at.
I also wouldn't claim your a fanboy but at what point does constant criticism start to be come suspect? How long could one engage every Windows or osX focused discussion with only criticism before it no longer appears as if they are being constructive?
Listen, I ran Debian with that faulty SSH that was patched, but I didn't apply that patch for months, simply because I didn't *know*. You would move that into "faulty system config".
"
- Before patch availability, it's a software fault and the developer is responsible for the time until patch release
- After patch availability, it's an administrator fault and since we're talking Debian:
-- Before the patch; http://lists.debian.org/debian-security-announce/
-- After the patch; http://www.debian.org/security/
Same for any other platform, keep up to date with the bug reports and security patch announcements.
"
But the same things generally apply to Win32 exploits. They don't stay open for months, days, or years, once discovered
"
- The currently known and unpatched SSL vulnerability
- CIFS continuing to use a cleartext protocol
- autorun.inf finally getting patched last week after being known since Conficker got publicity
- how long was IIS wide open before they finally fixed that little joy
Microsoft is not the only company to ignore bug reports unless they embarrass the company enough to address them. Apple's "there is no fault in our TCP/IP stack and NIC driver" followed by a TCP/IP stack and NIC driver patch some six months later is another great example. It becomes more important to provide good GR images rather than admit to the bug and patch it quickly.
"
(and an undiscovered vulnerability on Win32 is the same risk as an undiscovered vulnerability on *nix... exploitable until discovered and fixed).
"
No one is suggesting blame for unknown vulnerabilities. The clock starts from the moment it's discovered and ends when a patch is available. The clock shifts to the admin once the patch is available. The clock stops when the server is no longer vulnerable.
It seems that breaches on windows systems tend to be through a vulnerability in the software. Bad configurations happen also but exploited bugs and design decisions behold the admin's configurable control make up a noticeable amount. Can I simply configure CIFS to use encrypted protcols? Was there a configuration that plugged the buffer overflows in IIS?
With *nix like systems, the breaches reported seem to more frequently be configuration related; poor admin passwords, lack of firewall rules, PHP config rules left active returning too much information, development only settings left enabled leading to cross site scripting. Software vulnerabilities happen but they don't seem to be left open as long.
In the case of the article which start this whole thing; FTP was used unencrypted and weak passwords where used (blank admin password I think actually) - that's not a fault in the administrator?
It's more a matter of all three categories; social, software, config. Social applies to all. Software is heavier on the windows side. Config is heavier on the *nix side. The difference is that administrators can learn to harden a config but they can't learn to compile a patch into a proprietary binary. Because of that, I consider software flaws to be worse than config flaws and patch times more critical a metric to look at.
"
"software code faults" (of a notoriously buggy OS code base) doesn't seem to make that much of a difference - other than it allows you to go, "if it happens to Linux, it isn't Linux, it is idiots using Linux".
"
Just encase it's not clear; it depends on where the fault is found. Was it in the software, was it third party software, was it the system admin's failing? Attacks against the notoriously buggy platform have been successful due to administrator controlable settings; config. I see the daily bug reports in the rest of the code base but the exploitable one's don't seem to remain usable long enough to gain widespread use. Thus, config is the larger threat to security on these systems.
If Linux based systems are of issue then we can look at security over the BSD side. Again, config errors are a larger threat than remote exploit bugs in the software. OpenBSD would be a heck of a baseline to measure the other platforms against for security purposes.
I admit that I can't agree on the obscurity angle. I'd rather put mechanisms in place and keep obscurity as an icing sugar dusting on top. What do I do when the obscurity advantage, being horrendously short lived, is gone. Great, so now they know I'm using MAC filtering on my wifi, what mechanism actually prevents them from connecting?
I'm actually very curious to see what distributions continue to hold up as they gain popularity. What distributions will continue short patch turn around. What distributions default config will hold up under the pounding. These are not limitations imposed by a third party (cough.. hardware..) so they are good metrics to look at.
I also wouldn't claim your a fanboy but at what point does constant criticism start to be come suspect? How long could one engage every Windows or osX focused discussion with only criticism before it no longer appears as if they are being constructive?
"So I disagree that "There is one explanation - careless, lazy administration" is the sole answer when a Linux system becomes comrpromised."
By 'one explanation', I meant 'one of many', not 'one and only'. I should have been more specific.
By 'one explanation', I meant 'one of many', not 'one and only'. I should have been more specific.
Are you referring to command and control servers? If so, could you please supply more details about where 20,000 desktops were turned into C&C servers. I hadn't heard anything about desktop OSs being used for C&C. Thanks in advance.
My understanding of that first paragraph was that there was a cluster of servers and botted desktops serving malware.
edit: Check here
http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry
and see the linked articles.
edit: Check here
http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry
and see the linked articles.
I read all the posts and they are all over the map. I still don't know if they were C&C servers or bots.
If they are serving malware, then I suspect that they are secondary C&C servers where compromised computers are sent to get additional malware after being exploited. That is not new and very prevalent.
If they are serving malware, then I suspect that they are secondary C&C servers where compromised computers are sent to get additional malware after being exploited. That is not new and very prevalent.
it's more about botted PCs via worms. and it's an average figure based on some symantec and David Dagon (who was a PhD student at the time).
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/16/AR2006021601388.html
it's an interesting read but nothing technical.
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/16/AR2006021601388.html
it's an interesting read but nothing technical.
There are quite a few who think this way!
Just look around the forums, they are there.
Just look around the forums, they are there.
...and certainly not software. Anything can get owned, be it MacOSX,Linux,Unix,Windows or even exotic ones.
Hackers are not stupid, they know about all OS's and they get updated daily on their security flaws, that is all flaws... since
1 - the media publishes them.
2 - there now exists software (you just need to search a bit) to find vulnerabilities in all the OS's mentioned above.
You might not know it yet but we are in a computing/internet crisis. Anything an anyone can get owned by a 0th day vulnerability, even with state of the art Firewall/anti-virus/security patches and whatnot.
Hackers are not stupid, they know about all OS's and they get updated daily on their security flaws, that is all flaws... since
1 - the media publishes them.
2 - there now exists software (you just need to search a bit) to find vulnerabilities in all the OS's mentioned above.
You might not know it yet but we are in a computing/internet crisis. Anything an anyone can get owned by a 0th day vulnerability, even with state of the art Firewall/anti-virus/security patches and whatnot.
Hackers are perhaps our only hope as they are the computer entusiasts interested enough to discover exploitable flaws in software. If not for the Hackers, we'd only have manpower limited QA teams inside the developer company and the criminals who exploit the flaws with malicious intent.
As you say, criminals are not stupid and be it a crowbar or a computer, it's professional. What we need is more transparency of discovered vulnerabilities, more proactive patch release and system updating and vulnerability assessment software at less prohibitive price points.
1. the media needs to make exploitable vulnerabilities known including estimated patch delivery and potential workarounds in the mean time.
2. Nessus is a great application but the annual fee for updates is very prohibitive. Hopefully OpenVAS can mature quickly and keep competitive with it's signature updates so that those who can't affort $10k a year can also proactively audit there own systems before someone with criminal intent does.
(I use Hacker in the correct sense meaning a computer enthusiast who may happen to be of the Security Hacker sub-category contrasted too Criminal which demonstrates malicious intent and needn't be romanticized with special titles just because they may use a computer rather than a brick.)
As you say, criminals are not stupid and be it a crowbar or a computer, it's professional. What we need is more transparency of discovered vulnerabilities, more proactive patch release and system updating and vulnerability assessment software at less prohibitive price points.
1. the media needs to make exploitable vulnerabilities known including estimated patch delivery and potential workarounds in the mean time.
2. Nessus is a great application but the annual fee for updates is very prohibitive. Hopefully OpenVAS can mature quickly and keep competitive with it's signature updates so that those who can't affort $10k a year can also proactively audit there own systems before someone with criminal intent does.
(I use Hacker in the correct sense meaning a computer enthusiast who may happen to be of the Security Hacker sub-category contrasted too Criminal which demonstrates malicious intent and needn't be romanticized with special titles just because they may use a computer rather than a brick.)
I have a client using a project called "ZoneCD" on his wireless network. He bypassed many security measures because he felt this application was covering his security needs. I sat down at a table, opened my laptop and started capturing packets containing sensitive passwords on his network within 5 minutes. Now he listens to my advice.
Without the really knowledgeable and experienced hackers out there (read:people smarter than me), we wouldn't have these vulnerability fixes because no one would know of the vulnerabilities.
Without the really knowledgeable and experienced hackers out there (read:people smarter than me), we wouldn't have these vulnerability fixes because no one would know of the vulnerabilities.
I regularily attack my own network and am steadily bringing the work network up to a standard that can also survive outright attack. Heck, based on a client's ISP router setup, I came home and duplicated the settings on my test router to see exactly how long it would take a criminal to break into there's; 20 minutes given one router, one client and minimal network traffic.
In the case of conficker, publicity braught this to the attention of average users who where the last to know about it long after hackers, criminals and microsoft. A workaround was provided in the case of autoruns and those who had skipped the patch found out why it was important to apply it.
My concern is that the original poster is first confusing Hackers for people with inherent criminal intent and second, suggesting that security auditing tools and news reports increase the risk of vulnerability exploitation.
In the case of conficker, publicity braught this to the attention of average users who where the last to know about it long after hackers, criminals and microsoft. A workaround was provided in the case of autoruns and those who had skipped the patch found out why it was important to apply it.
My concern is that the original poster is first confusing Hackers for people with inherent criminal intent and second, suggesting that security auditing tools and news reports increase the risk of vulnerability exploitation.
Too many hackers do nothing more than try to create chaos and in some cases succeed very well. There are those who look for security holes and suggest ways to plug them (ethical hacking) but the majority are looking for trouble in one form or another.
The main hope comes from the administrators whose lack of knowledge (or unwillingness to apply said knowledge) causes networks and electronic systems to be vulnerable.
Examples that I myself have seen involve users being given full admin rights because user rights management wasn't fully understood. Or maybe the company that put ALL the companies datafiles into a FAT32 folder and shared it. Or maybe we should consider the school that put a teacher in charge of the network simply because he knew how to code in HTML and PHP (if he knows that then he must know everything about IT, right?).
My point is that admins are the first line of defence in a network, not the technologies they use. And certainly not the hackers. The admin has to be able to analyse an attack and understand what has happened in order to do anything about it.
If admins are too lazy or too stupid to realise theirs is a job of continual development, learning and analysis, then they deserve the attacks that are going to cripple them.
The main hope comes from the administrators whose lack of knowledge (or unwillingness to apply said knowledge) causes networks and electronic systems to be vulnerable.
Examples that I myself have seen involve users being given full admin rights because user rights management wasn't fully understood. Or maybe the company that put ALL the companies datafiles into a FAT32 folder and shared it. Or maybe we should consider the school that put a teacher in charge of the network simply because he knew how to code in HTML and PHP (if he knows that then he must know everything about IT, right?).
My point is that admins are the first line of defence in a network, not the technologies they use. And certainly not the hackers. The admin has to be able to analyse an attack and understand what has happened in order to do anything about it.
If admins are too lazy or too stupid to realise theirs is a job of continual development, learning and analysis, then they deserve the attacks that are going to cripple them.
How can you lock down your network if you don't have a good working knowledge of where attacks come from? A good admin, particularly on the network side of things is a hacker whether he/she realizes it or not.
Hackers aren't bad, like neon samurai pointed out. I make attempts to hack into my network regularly. Hell, we're required to pay a consultant to come in every 3 years and "assess our security." What is a security assessment? A fancy word for some guy like me who gets overpaid to come in and attempt hacks on your network.
Hackers aren't bad, like neon samurai pointed out. I make attempts to hack into my network regularly. Hell, we're required to pay a consultant to come in every 3 years and "assess our security." What is a security assessment? A fancy word for some guy like me who gets overpaid to come in and attempt hacks on your network.
The new server package includes the update script for vulnerability plugins. If your like me and can't afford Nessus for professional use; it's a quickly maturing alternative to include along side your other testing tools and manual steps.
But I might need to install it on one of my spare boxes and try that out. Judging by the info on the website, it seems pretty robust. Nessus is a little to pricey for me to justify. We're required to have outside specialists perform security assessments anyway. It would be nice to have one centralized tool that our server people could utilize, as well. I like it, I just have a hard time justifying the purchase to myself given all the other tools we use. It would simplify the gathering of data, but over-simplifying my job will make it easier to find my replacement!
If your going for openvas specifically, you may want to go with Debian 6 Squeeze.. it's in testing status so expect things to be flakey. openvas is coming to Debian 5 Lenny through the backports repository so I'm waiting for the signature update script to officially be included there. along with some other fixes. Still, it looks very promising but still a little soft and squishy baking in the oven compared to Nessus
The myth caused by endless media mis-representation is that Hackers are some evil pimply kid interesting only in breaking into computer systems. The reality is that the community has matured long past that point. Hackers are not strictly security or computer enthusiasts even. Life Hackers, Car Hackers, Stereo Hackers, Hardware Hackers, Radio Hackers, Physcology Hackers, Social Engineers, Political Hackers, Lock-sport enthusiasts.. it's more about approaching a topic of interest with a nearly obsessive need to understand things to a minute detail. To read the manual but then wonder what further can be done beyond the manufacturer's intended use.
In this case, Security Hackers are the specific sub-category; people who's hobby time and enthusiasm is towards understanding and imrpoving security by finding it's weaknesses. These people stay within the law by working on there own purchases systems. These are the people who provide details of faults in security to the applicable vendor so it can be improved.
It's offensive and flat out factually wrong to assume that Hackers are inherently unethical, interested only in security and focused on breaking into systems without prior permission. Those that do these things are not Hackers though they reinforce the stereo typical misconception promoted in the mass media.
"Too many hackers do nothing more than try to create chaos and in some cases succeed very well."
Wrong. These are not hackers. These are either immature kids who may do such things regardless of medium (ie. not just with computers) or criminals. Hackers are the people who grow out of this phase and develop a healthy curiosity. Your definition and understanding is incorrect. The majority of the security focused hackers are primarily interested with improving security not destructive ends.
"The main hope comes from the administrators whose lack of knowledge (or unwillingness to apply said knowledge) causes networks and electronic systems to be vulnerable."
I would suggest that "the main hope" comes from hackers who discover vulnerabilities and responsibly report them along with administrators who address such vulnerabilities within there own systems. If the administrator show a "lack of knowledge (or unwillingness to apply said knowledge)" then they are not doing there job.
Your examples are definately demonstrations of bad IT management decisions. I would agree that Administrators are the first line of defense be they just there for job or infact Hackers themselves. I'd much rather hire Hackers to administrate my network because I know there enthusiasm for technology will motivate them to refine the network to a piece of usable but secure art. If an admin does not not have the Hacker mindset and approach, they are already at a disadvantage when analyzing network issues and vulnerabilities.
A big risk is absolutely Administrators who do not show due diligence in there job role. Such people barely deserve the title Admin let alone the sub-cultural title of Hacker.
The other part of that thow is the Security Hackers who responsibility research systems down to the most minute detail and in doing so purposefully or serendipitously discover exploitable faults. The recent SMB vulnerability; Hacker discovered and reported. Conficker; Hacker discovered and reported. Win98 reporting system inventory back to MS through Windows Update; Hacker discovered and reported. Weaknesses in osX leaving Apple customers at risk; Hacker discovered and reported. Vulnerabilities in the osX TCP/IP stack and NIC driver; Hacker discovered and reported. The local boot vulnerability in Windows and Unix like OS; Hacker discovered and reported. Weaknesses in "un-pickable" physical locks; Hacker discovered and reported. Weaknesses in GSM mobile phone cryptology; Hacker discovered and reported. SSL weak certificates; Hacker discovered and reported. 3D printers that can be baught or built at home by the average person rather than purchases for thousands of dollars; Hacker developed with specs publicly released. and on.. and on..
I suggest Hackers may be our only hope because they are the security researchers who discover vulnerabilities though a closed company may knowingly ignore it until publicly embarrassed by it. I suggest this also because Hackers employed as administrators are the more likely to proactively address discovered vulnerabilities in there own networks, servers and workstations. Outside of computers, these are the DIY crowd and inventors who continually look for ways to push there area of interest forward rather than just saying "meh, good enough. It is what it is.."
In this case, had the administrator been a Hacker, the root accounts would have been secured and ftp implemented as safely as possible if allowed on the system at all. It was criminals who broke into the computer, not hackers. It was lazy or limited knowledge administration that allowed the breach, not hackers.
Continual development, self directed learning, analysis.. that is Hacking.
In this case, Security Hackers are the specific sub-category; people who's hobby time and enthusiasm is towards understanding and imrpoving security by finding it's weaknesses. These people stay within the law by working on there own purchases systems. These are the people who provide details of faults in security to the applicable vendor so it can be improved.
It's offensive and flat out factually wrong to assume that Hackers are inherently unethical, interested only in security and focused on breaking into systems without prior permission. Those that do these things are not Hackers though they reinforce the stereo typical misconception promoted in the mass media.
"Too many hackers do nothing more than try to create chaos and in some cases succeed very well."
Wrong. These are not hackers. These are either immature kids who may do such things regardless of medium (ie. not just with computers) or criminals. Hackers are the people who grow out of this phase and develop a healthy curiosity. Your definition and understanding is incorrect. The majority of the security focused hackers are primarily interested with improving security not destructive ends.
"The main hope comes from the administrators whose lack of knowledge (or unwillingness to apply said knowledge) causes networks and electronic systems to be vulnerable."
I would suggest that "the main hope" comes from hackers who discover vulnerabilities and responsibly report them along with administrators who address such vulnerabilities within there own systems. If the administrator show a "lack of knowledge (or unwillingness to apply said knowledge)" then they are not doing there job.
Your examples are definately demonstrations of bad IT management decisions. I would agree that Administrators are the first line of defense be they just there for job or infact Hackers themselves. I'd much rather hire Hackers to administrate my network because I know there enthusiasm for technology will motivate them to refine the network to a piece of usable but secure art. If an admin does not not have the Hacker mindset and approach, they are already at a disadvantage when analyzing network issues and vulnerabilities.
A big risk is absolutely Administrators who do not show due diligence in there job role. Such people barely deserve the title Admin let alone the sub-cultural title of Hacker.
The other part of that thow is the Security Hackers who responsibility research systems down to the most minute detail and in doing so purposefully or serendipitously discover exploitable faults. The recent SMB vulnerability; Hacker discovered and reported. Conficker; Hacker discovered and reported. Win98 reporting system inventory back to MS through Windows Update; Hacker discovered and reported. Weaknesses in osX leaving Apple customers at risk; Hacker discovered and reported. Vulnerabilities in the osX TCP/IP stack and NIC driver; Hacker discovered and reported. The local boot vulnerability in Windows and Unix like OS; Hacker discovered and reported. Weaknesses in "un-pickable" physical locks; Hacker discovered and reported. Weaknesses in GSM mobile phone cryptology; Hacker discovered and reported. SSL weak certificates; Hacker discovered and reported. 3D printers that can be baught or built at home by the average person rather than purchases for thousands of dollars; Hacker developed with specs publicly released. and on.. and on..
I suggest Hackers may be our only hope because they are the security researchers who discover vulnerabilities though a closed company may knowingly ignore it until publicly embarrassed by it. I suggest this also because Hackers employed as administrators are the more likely to proactively address discovered vulnerabilities in there own networks, servers and workstations. Outside of computers, these are the DIY crowd and inventors who continually look for ways to push there area of interest forward rather than just saying "meh, good enough. It is what it is.."
In this case, had the administrator been a Hacker, the root accounts would have been secured and ftp implemented as safely as possible if allowed on the system at all. It was criminals who broke into the computer, not hackers. It was lazy or limited knowledge administration that allowed the breach, not hackers.
Continual development, self directed learning, analysis.. that is Hacking.
Ethical hacking (your term was "Security Hacking") is a means of testing a networks vulnerabilities. It works and it is essential to a networks ongoing security compliance. Network admins (as has been suggested as a response to my original post) are also hackers in a sense because of their requirement to understand the concept of inherrent security issues and then resolve them as best they can.
But this is not the person I am talking about.
I am talking about the person that does not necessarily know how a network functions. Rather, this person downloads freely available tools from the Internet, performs port scans (although does not know what a port is) and searches for weak passwords that can be used. This could be in the search for proof of ET Life (Gary McKinnon) or it could be more sinister.
To say that the hackers are essential, or to say I am being offensive and factually incorrect I do not believe to be right. If someone hacks into my network and then reports the issue, they have still gained illegal access. Who knows how long they have known of the vulnerability, exploited it and then reported it with the intention of trying to cover their tracks.
To hack your own network is a reasonable course to take, but don't be fooled by the results. You know the construct of your network, the protocols in use, the software ports that are open. You know in essence, the route in.
The only person to be trusted with the job of hacking into and analysing a networks vulnerabilities is a hacker! Surprised I would say that? Read on.
I have been performing penetration testing and network vulnerability analysis for a good few years. I have had to undergo police and government vetting, the courses I attended required clearance and that all before I was allowed to go anywhere near any hacking tools. The contracts between me and my clients are so solid and watertight with regards to data privacy and security compliance that on occasion they have hindered even me in my pursuit of a good job and sometimes I have even had to turn work down because of this.
How much of the previous statement does your average hacker have to go through. Can you be sure your data or systems haven't been compromised by the person reporting the vulnerability?
A do-gooding person that looks for child-porn on the Internet so it can be reported and closed down is treated in the same way as someone less well-intentioned. This is because they are not authorised to actively search for said content.
I believe the same rules should apply to everyone that decides to play network vigilante. The first question that should be asked when it is reported should be: "What were you doing there in the first place?"
Hackers are necessary, but lets keep the context clear. They should be strangers to the network left to ply their trade. But they should be cleared to ensure they are not acting with potential criminal intent and to afford the client peace of mind.
It is the network admins place to recognise this need and not let ego stand in the way. The network admin should recommend the tests to administer and continually develop, learn and analyse (your last paragraph).
That why I have said and will continue to defend, my point that the network admin is the first and most important line of defence and not the hacker. Afterall, is that not what he is paid for?
But this is not the person I am talking about.
I am talking about the person that does not necessarily know how a network functions. Rather, this person downloads freely available tools from the Internet, performs port scans (although does not know what a port is) and searches for weak passwords that can be used. This could be in the search for proof of ET Life (Gary McKinnon) or it could be more sinister.
To say that the hackers are essential, or to say I am being offensive and factually incorrect I do not believe to be right. If someone hacks into my network and then reports the issue, they have still gained illegal access. Who knows how long they have known of the vulnerability, exploited it and then reported it with the intention of trying to cover their tracks.
To hack your own network is a reasonable course to take, but don't be fooled by the results. You know the construct of your network, the protocols in use, the software ports that are open. You know in essence, the route in.
The only person to be trusted with the job of hacking into and analysing a networks vulnerabilities is a hacker! Surprised I would say that? Read on.
I have been performing penetration testing and network vulnerability analysis for a good few years. I have had to undergo police and government vetting, the courses I attended required clearance and that all before I was allowed to go anywhere near any hacking tools. The contracts between me and my clients are so solid and watertight with regards to data privacy and security compliance that on occasion they have hindered even me in my pursuit of a good job and sometimes I have even had to turn work down because of this.
How much of the previous statement does your average hacker have to go through. Can you be sure your data or systems haven't been compromised by the person reporting the vulnerability?
A do-gooding person that looks for child-porn on the Internet so it can be reported and closed down is treated in the same way as someone less well-intentioned. This is because they are not authorised to actively search for said content.
I believe the same rules should apply to everyone that decides to play network vigilante. The first question that should be asked when it is reported should be: "What were you doing there in the first place?"
Hackers are necessary, but lets keep the context clear. They should be strangers to the network left to ply their trade. But they should be cleared to ensure they are not acting with potential criminal intent and to afford the client peace of mind.
It is the network admins place to recognise this need and not let ego stand in the way. The network admin should recommend the tests to administer and continually develop, learn and analyse (your last paragraph).
That why I have said and will continue to defend, my point that the network admin is the first and most important line of defence and not the hacker. Afterall, is that not what he is paid for?
The irony is that we have to specify "ethical hacking" when "unethical hacking" is actually the anomaly not the norm. "Ethical Hacking" is a completely redundant grouping of words. It's like saying "round ball" as if that's somehow different from "ball" as apposed to the anomaly state "square ball".
It's also not just being in possession of a tools that makes one a hacker. It's a mental approach to learning and problem solving with a rich and innovative history. Being in possession of a hammer doesn't make me a master carpenter nor does a spatula make me a chef.
"I am talking about the person that does not necessarily know how a network functions. Rather, this person downloads freely available tools from the Internet, performs port scans (although does not know what a port is) and searches for weak passwords that can be used. This could be in the search for proof of ET Life (Gary McKinnon) or it could be more sinister."
Skript Kiddie. If you have to have some computery-cool sounding word then that would be it. Defined as "person who downloads and uses tools without really knowing how they work or what they are capable of". Your specifically referring to a person who may one day take enough interest to develop into a hacker but is currently as close to a chef as a highschool kid following the directions on the back of a Kraft Dinner box.
If it's someone juts mucking with "toys" they downloaded then irresponsible would be an easy description as would skript kiddie. Gary McKinnon would be slightly above this probably in the range of power user but Hacker he ain't regardless of how many times the media labels him. I also still think he should be held accountable but too a reasonable sentance rather than what they currently want to do with him. If the intent is malicious you can simply skip all that and move on to "criminal" since the end result is intentional criminal behavior like fraud, theft of services, breaking and entering. No need to romanticize it just because the criminal goes through a computer instead of a side window.
"to say I am being offensive and factually incorrect I do not believe to be righ"
This is the problem. Your assuming Hackers are inherently malicious, unethical and criminal or interested only in high-school level rebellion against authority. By recognizing only the pejorative form of the word, you ignore the majority of it's meaning. It's offensive because you say "Hacker" when what you mean is "common criminal".
If someone breaks into your network without prior permission then they are the acception to the rule not the norm. The are not a true representation of hacking or the sub-culture. It's matured, hackers no longer email administrators from there own accounts explaining how they got in without prior permission. Those days are gone as the community has matured along with changes in the law.
I'm not surprised you would suggest a Hacker be the correct person to hire for a pentetration test. I've yet to meet or read/hear a pentester who didn't demonstrate the hacker ethic and mindset. They are culturally a Security Hacker though they may happen to professionally hold the title of Security Penetration Tester or Security Researcher. I surely wouldn't hire a Stereo Hacker (audiophile), Car Hacker (gearhead), Radio Hacker (ham) or Brain Hacker (they like psycology rather than tech) for such a job though they all happen to be of the hacker mindset.
I'm actually a little surprised to now learn that your a certified pentester yet so locked into the use of "Hacker" when there are more accurate and correct terms to use. I'm guessing CISSP give it's "I will not associate with hackers" though the CEH material sticks closely to the missuse of the term also.
But this is the thing, your assuming hacking is inherently evil. How much of what you've gone through have other hackers had to go through; I'd say just as much if they professionally work as pentesters. Those who's hacking involves things outside of security probably haven't had to go through any of that because it's not relevant to what they do just as you've not had to go through what they have done (maybe you have your Ham license though). There are also Security Hackers who are not certified pentesters and stick within the law on there own personal hardware or small jobs with owner's permission. Assuming that a hacker hasn't gone through the same certifications as you is like assuming someone can't be a good Windows admin just because they haven't been through the MCSE process.
Your child-port example is also not relevant. The majority of rational people would not be doing so. The anomaly is the person who does so while not working directly with law enforcement. It's also a content clearly illegal to obtain and possess; not to mention abhorrent in nature. This is about as rational as suggesting that many people rob stores at gunpoint to test the security and police response before handing the money back and congratulating the first officer on the scene. The same rule absolutely applies to anyone playing network vigilante. Hand child porn over to the police and you'll be investigated severely as you should be. Rob a store regardless of intent and your going to see criminal if not civil charges. Break into a computer without permission and regardless of intent, you should be held accountable not automatically given the title Hacker.
Your attributing Hacking to a very narrow and incorrect definition. I think that is the real problem as we agree on the general points but not whom your narrowly defined terminology.
You suggest that a hacker must be a third party focused on computers, focused on security and hired to test your network. I'm suggesting that "hacker" is a mental state that can be applied to any topic of interest.
Users - the guy at work that barely knows how to turn on the computer but can get work done. Maybe comfortable with the computer and changing the desktop background but generally, the average computer user.
Poweruser - mucks with settings and may make use of utilities but mostly interested in the basic quick settings to adjust the system to one's liking.
Tuner - game geaks that will adjust settings to get highly refined performance out of there gaming. The person that must check all normal settings, maybe use a utility for some and could even hit the registry directly for absolute fine tuning.
(professional IT tend to fall into these two categories but with more understanding and responsability for what they do.)
Hacker - must understand everything down to the smallest detail. Not satisfied with knowing that the "check email" button brings in email, they must learn how the data flows through the computer and network too and from them within legal limits. This level of need to learn applied to any topic of interest not just computers or technology.
An administrator may be a poweruser or tuner, they may be a management genious or they may be an all out hacker working in there dream job while keeping there own learning and research on personal and test networks.
Yes, the network admin is the first and most responsible line of defence but they may also be a hacker. They may also have developed the hacker mind set. As a hacker, they have the added nearly obsessive need to learn and will apply that learning to there job responsibly. It's not the lazy admin that is our hope. It's not the status quo admin that is our hope. It's the self motivated, self directed learner (hacker) admin which will be most proactive in managing the network, keeping up to date with technology and addressing issues in the network as new risks and patches come out.
It's also not just being in possession of a tools that makes one a hacker. It's a mental approach to learning and problem solving with a rich and innovative history. Being in possession of a hammer doesn't make me a master carpenter nor does a spatula make me a chef.
"I am talking about the person that does not necessarily know how a network functions. Rather, this person downloads freely available tools from the Internet, performs port scans (although does not know what a port is) and searches for weak passwords that can be used. This could be in the search for proof of ET Life (Gary McKinnon) or it could be more sinister."
Skript Kiddie. If you have to have some computery-cool sounding word then that would be it. Defined as "person who downloads and uses tools without really knowing how they work or what they are capable of". Your specifically referring to a person who may one day take enough interest to develop into a hacker but is currently as close to a chef as a highschool kid following the directions on the back of a Kraft Dinner box.
If it's someone juts mucking with "toys" they downloaded then irresponsible would be an easy description as would skript kiddie. Gary McKinnon would be slightly above this probably in the range of power user but Hacker he ain't regardless of how many times the media labels him. I also still think he should be held accountable but too a reasonable sentance rather than what they currently want to do with him. If the intent is malicious you can simply skip all that and move on to "criminal" since the end result is intentional criminal behavior like fraud, theft of services, breaking and entering. No need to romanticize it just because the criminal goes through a computer instead of a side window.
"to say I am being offensive and factually incorrect I do not believe to be righ"
This is the problem. Your assuming Hackers are inherently malicious, unethical and criminal or interested only in high-school level rebellion against authority. By recognizing only the pejorative form of the word, you ignore the majority of it's meaning. It's offensive because you say "Hacker" when what you mean is "common criminal".
If someone breaks into your network without prior permission then they are the acception to the rule not the norm. The are not a true representation of hacking or the sub-culture. It's matured, hackers no longer email administrators from there own accounts explaining how they got in without prior permission. Those days are gone as the community has matured along with changes in the law.
I'm not surprised you would suggest a Hacker be the correct person to hire for a pentetration test. I've yet to meet or read/hear a pentester who didn't demonstrate the hacker ethic and mindset. They are culturally a Security Hacker though they may happen to professionally hold the title of Security Penetration Tester or Security Researcher. I surely wouldn't hire a Stereo Hacker (audiophile), Car Hacker (gearhead), Radio Hacker (ham) or Brain Hacker (they like psycology rather than tech) for such a job though they all happen to be of the hacker mindset.
I'm actually a little surprised to now learn that your a certified pentester yet so locked into the use of "Hacker" when there are more accurate and correct terms to use. I'm guessing CISSP give it's "I will not associate with hackers" though the CEH material sticks closely to the missuse of the term also.
But this is the thing, your assuming hacking is inherently evil. How much of what you've gone through have other hackers had to go through; I'd say just as much if they professionally work as pentesters. Those who's hacking involves things outside of security probably haven't had to go through any of that because it's not relevant to what they do just as you've not had to go through what they have done (maybe you have your Ham license though). There are also Security Hackers who are not certified pentesters and stick within the law on there own personal hardware or small jobs with owner's permission. Assuming that a hacker hasn't gone through the same certifications as you is like assuming someone can't be a good Windows admin just because they haven't been through the MCSE process.
Your child-port example is also not relevant. The majority of rational people would not be doing so. The anomaly is the person who does so while not working directly with law enforcement. It's also a content clearly illegal to obtain and possess; not to mention abhorrent in nature. This is about as rational as suggesting that many people rob stores at gunpoint to test the security and police response before handing the money back and congratulating the first officer on the scene. The same rule absolutely applies to anyone playing network vigilante. Hand child porn over to the police and you'll be investigated severely as you should be. Rob a store regardless of intent and your going to see criminal if not civil charges. Break into a computer without permission and regardless of intent, you should be held accountable not automatically given the title Hacker.
Your attributing Hacking to a very narrow and incorrect definition. I think that is the real problem as we agree on the general points but not whom your narrowly defined terminology.
You suggest that a hacker must be a third party focused on computers, focused on security and hired to test your network. I'm suggesting that "hacker" is a mental state that can be applied to any topic of interest.
Users - the guy at work that barely knows how to turn on the computer but can get work done. Maybe comfortable with the computer and changing the desktop background but generally, the average computer user.
Poweruser - mucks with settings and may make use of utilities but mostly interested in the basic quick settings to adjust the system to one's liking.
Tuner - game geaks that will adjust settings to get highly refined performance out of there gaming. The person that must check all normal settings, maybe use a utility for some and could even hit the registry directly for absolute fine tuning.
(professional IT tend to fall into these two categories but with more understanding and responsability for what they do.)
Hacker - must understand everything down to the smallest detail. Not satisfied with knowing that the "check email" button brings in email, they must learn how the data flows through the computer and network too and from them within legal limits. This level of need to learn applied to any topic of interest not just computers or technology.
An administrator may be a poweruser or tuner, they may be a management genious or they may be an all out hacker working in there dream job while keeping there own learning and research on personal and test networks.
Yes, the network admin is the first and most responsible line of defence but they may also be a hacker. They may also have developed the hacker mind set. As a hacker, they have the added nearly obsessive need to learn and will apply that learning to there job responsibly. It's not the lazy admin that is our hope. It's not the status quo admin that is our hope. It's the self motivated, self directed learner (hacker) admin which will be most proactive in managing the network, keeping up to date with technology and addressing issues in the network as new risks and patches come out.
I have read your post with a measure of incredulity. The problem is I believe you are trying trying to glorify what is essentially a damaging trade.
I typed into Google the words "network hacker". In the first three pages I found no reference to hacking being good. In fact, by Wikipedia definition and the definition offered up by the Oxford English dictionary, it is anything but.
And to say that ethical hacking is a redundant grouping of words is outrageously daft to say the least. And to say "unethical hacking is an anomaly and not the norm" is equally so.
I would like you to have a look at the random links I looked at below and tell me whether you believe that hackers gaining access to restricted systems is useful or damaging, ilegal or illegal.
From Wikipedia - Hacker
White hat
Main article: White hat
A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. This type of hacker enjoys learning and working with computer systems, and consequently gains a deeper understanding of the subject. Such people normally go on to use their hacking skills in legitimate ways, such as becoming security consultants. The word 'hacker' originally included people like this, although a hacker may not be someone into security.
[edit] Grey hat
Main article: Grey hat
A grey hat hacker is a hacker of ambiguous ethics and/or borderline legality, often frankly admitted.
[edit] Black hat
Main article: Black hat
A black hat hacker is someone who breaks computer security without authorization or uses technology (usually a computer, phone system or network) for vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity.
[edit] Script kiddie
Main article: Script kiddie
A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding. These are the outcasts of the hacker community.
[edit] Hacktivist
Main article: Hacktivism
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. In more extreme cases, hacktivism is used as tool for Cyberterrorism.
Oxford English Dictionary Online
http://www.askoxford.com/concise_oed/hack_1?view=uk
? verb 1 cut with rough or heavy blows. 2 kick wildly or roughly. 3 use a computer to gain unauthorized access to data. 4 (hack it) informal manage; cope. 5 (hack off) informal annoy.
http://www.ethicalhacker.net/content/view/16/24/
http://www.washingtonpost.com/wp-dyn/content/article/2006/07/13/AR2006071301551.html
http://www.out-law.com/page-2805
http://compnetworking.about.com/b/2009/01/26/what-is-a-network-hacker.htm
I have found no evidence to support your claim that hacking is a state of mind.
I typed into Google the words "network hacker". In the first three pages I found no reference to hacking being good. In fact, by Wikipedia definition and the definition offered up by the Oxford English dictionary, it is anything but.
And to say that ethical hacking is a redundant grouping of words is outrageously daft to say the least. And to say "unethical hacking is an anomaly and not the norm" is equally so.
I would like you to have a look at the random links I looked at below and tell me whether you believe that hackers gaining access to restricted systems is useful or damaging, ilegal or illegal.
From Wikipedia - Hacker
White hat
Main article: White hat
A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. This type of hacker enjoys learning and working with computer systems, and consequently gains a deeper understanding of the subject. Such people normally go on to use their hacking skills in legitimate ways, such as becoming security consultants. The word 'hacker' originally included people like this, although a hacker may not be someone into security.
[edit] Grey hat
Main article: Grey hat
A grey hat hacker is a hacker of ambiguous ethics and/or borderline legality, often frankly admitted.
[edit] Black hat
Main article: Black hat
A black hat hacker is someone who breaks computer security without authorization or uses technology (usually a computer, phone system or network) for vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity.
[edit] Script kiddie
Main article: Script kiddie
A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding. These are the outcasts of the hacker community.
[edit] Hacktivist
Main article: Hacktivism
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. In more extreme cases, hacktivism is used as tool for Cyberterrorism.
Oxford English Dictionary Online
http://www.askoxford.com/concise_oed/hack_1?view=uk
? verb 1 cut with rough or heavy blows. 2 kick wildly or roughly. 3 use a computer to gain unauthorized access to data. 4 (hack it) informal manage; cope. 5 (hack off) informal annoy.
http://www.ethicalhacker.net/content/view/16/24/
http://www.washingtonpost.com/wp-dyn/content/article/2006/07/13/AR2006071301551.html
http://www.out-law.com/page-2805
http://compnetworking.about.com/b/2009/01/26/what-is-a-network-hacker.htm
I have found no evidence to support your claim that hacking is a state of mind.
I?m not trying to glorify a damaging trade. I?m suggesting that your accepted definition of the term is incorrect and over an overly limited scope. I?m saying that hacking is not inherently a damaging trade. I?m saying that historically and currently within the hacker community, the majority of people are ethical demonstrating a higher than average respect for licenses, ownership and privacy. While the mass media has publicly and continually corrupted the meaning of the term into ?evil pimply faced malcontent with a computer? that is not the correct meaning or majority of people. I?m not saying that hacking is some sort of mysterious glorified magic but a way of thinking in which people question everything while focusing on an area of interest to a nearly obsessive need for learning though within legal limitations. I?m saying that it doesn?t just apply to security, computers or technology but instead applies to how one thinks about the world around them.
?Hack? can more accurately be thought of as meaning ?to understand? as in ?I hack that topic? or ?I actively focus on understanding all I can about that topic?. The average staffer may finish the day adminining the network and go hope without a second though until the morning after when they return to work. I?d much rather the hacker who spends the day enthusiastic about his network administration then goes home to his recreation of learning through playing with his own network. An average staffer is going to go ?oh.. we have users with WEP wireless at home, good thing we don?t have that here?.. the hacker will go home, config a personal wifi router to mirror the settings and fully understand the risks related with that setup; for fun and the hacker need to understand. ?Implement security only if we are proven vulnerable? is the average staffer way (thankfully, it?s changing these days) where ?how can I further refine the security of my network through ?deny all, allow only necessary? approaches to my network security?? is what goes through the hackers head after he?s left the office.
As I said before, the DIY crowd of the 60s demonstrates the same mental approach as today?s hackers.
If you want accurate definitions, go to the source. Go to the dictionary of correct terminology which began with the first train and later computer hackers at MIT.
We?ll start with your Wikipedia reference:
http://en.wikipedia.org/wiki/Jargon_File
The more correct definitions:
Hack - http://catb.org/~esr/jargon/html/H/hack.html
Hacker - http://catb.org/~esr/jargon/html/H/hacker.html (notice #8)
Samurai - http://catb.org/~esr/jargon/html/S/samurai.html
Cracker - http://catb.org/~esr/jargon/html/C/cracker.html
The irony is that terms like ?ethical hacker?, ?white hat?, ?black hat?, ?script kiddie? have been invented to try and give the public and media more accurate terms rather than slandering the majority of ethical enthusiasts with the actions of the unethical minority. Hacktivism is an oddity in that it?s political activists who?ve adopted tricks developed by ethical hackers. It is the oddity between the anomaly and the proper usage.
Go to the closest thing the community has to a professional journal; www.2600.org (I?ll see if I can transcribe an article or two this evening, they are pretty short and the magazine gives permission for such replication)
A few more sites:
http://artofinfosec.com/
http://www.blackviper.com/News/current.htm
http://www.darknet.org.uk/
http://ha.ckers.org/
www.hakin9.org
http://www.malforge.com/
http://www.milw0rm.com/
http://isc.sans.org/
http://www.schneier.com/blog/
http://www.sectheory.com/papers.htm
http://www.securitytube.net/
http://www.uninformed.org/
Perhaps video of current Hackers though more toward the Hardware Hacker type
http://www.youtube.com/watch?v=58rbVFAroW4
http://www.youtube.com/watch?v=sJ-nyx8Yep4
http://www.youtube.com/watch?v=-gFJ2QfQcb4
http://www.youtube.com/watch?v=_yU1Fi021mM
http://www.youtube.com/watch?v=VWEEXEOQABg
Consider the hacker conferences which have gotten rather big:
Blackhat
HAR
SecTor
Most if not all the people who attend will be hackers applying there mindset to some area of interest or another.
http://www.thelasthope.org/talks.html
Many of these talks have been given at other conferences also. You?ll notice that the overwhelming intent is to understand a thing and where that thing relates to security, how to fix or mitigate it if not at least to be aware of it. Many relate to network administrators who may not have been aware of these issues if not for hackers exploring them.
Steven Rambam does a great talk on information privacy. Adam Savage (the myth buster) does a great talk on hardware hacking though not the electronics or computer type.
From a Black Hat to a Black Suit ? How to climb the corporate security ladder without losing your soul. Sure, the title is a little tong in cheek but the guy is a great example of a security professional who happens to also be a hacker. One of his examples is having a meeting with with a product sales rep and company management. The sales pitch is all roses yet, being a hacker who keeps up with current information, asks if the sales rep is aware of the known flaw in the technology being pitches which is scheduled for a talk at an upcoming security conference.
Perhaps you feel Joe Klein is just another miscreate.. after all, he?s a hacker and the definitions your willing to accept are all related to malicious intent. How about Johnny Long?s No-Tech Hacking talk? If you?ve not listen to it then it should be on your todo list. Get the youtube video from Blackhat if you need more than the audio.
Political Hacker? Arjen Kamphuis has a talk on policy hacking. A good demonstration of someone trying to make things better.
Postal hacking.. good talk by CypherGhost on stuff he?s mail through the postal system.. another example of hacker mindset applied to non-tech.
Project Telephreak ? phone phreaks doing it the legal way.
If you want some accurate and good information, listen to Steven Levy?s keynote address. It?s there for download.
The Zen of the Hacker
?An inquiry into the conditions under which hacker culture thrives, the curiously American quality of hacker culture, and the evolving challenges of preservation of the hacker ecosystem.?
That last one is another must-listen item. Yes, the US founding fathers where political hackers and yes, the US was founded on hacker ethics and values.
Perhaps some descriptions from real hackers?
[Software] ?Hacking is simply banging away on a keyboard until you make the computer do what you want.? ? Eric Raymond
?hacking is simply taking a thing and finding ways to use it beyond how the manufacturer intended it? ? (I paraphrase and leave finding the talk within the Hope talks as a challenge for the reader)
The Oxford dictionary (which includes ?twofour? and ?irregardless?) not written by people knowledgeable about hacker culture. News headlines chosen to generate hype with the goal of selling based on the public?s fear of the unknown.
In all of this, I am suggesting that your accepted definition of the term is extremely narrow if not outright wrong. You seem to find hacking and computer security mutually inclusive while suggesting that primarily, hacking and professionalism are mutually exclusive.
I think one of the best descriptions on the topic comes from the current issue of 2600 Magazine so I?ll see if I can sneak fifteen minutes or so to transcribe it for you.
(Separate from this discussion on semantics, I?m much more interested in your own work as a pentester along with include certifications. Did you go the CISSP route? What are your thoughts on the CEH and CREST route?)
?Hack? can more accurately be thought of as meaning ?to understand? as in ?I hack that topic? or ?I actively focus on understanding all I can about that topic?. The average staffer may finish the day adminining the network and go hope without a second though until the morning after when they return to work. I?d much rather the hacker who spends the day enthusiastic about his network administration then goes home to his recreation of learning through playing with his own network. An average staffer is going to go ?oh.. we have users with WEP wireless at home, good thing we don?t have that here?.. the hacker will go home, config a personal wifi router to mirror the settings and fully understand the risks related with that setup; for fun and the hacker need to understand. ?Implement security only if we are proven vulnerable? is the average staffer way (thankfully, it?s changing these days) where ?how can I further refine the security of my network through ?deny all, allow only necessary? approaches to my network security?? is what goes through the hackers head after he?s left the office.
As I said before, the DIY crowd of the 60s demonstrates the same mental approach as today?s hackers.
If you want accurate definitions, go to the source. Go to the dictionary of correct terminology which began with the first train and later computer hackers at MIT.
We?ll start with your Wikipedia reference:
http://en.wikipedia.org/wiki/Jargon_File
The more correct definitions:
Hack - http://catb.org/~esr/jargon/html/H/hack.html
Hacker - http://catb.org/~esr/jargon/html/H/hacker.html (notice #8)
Samurai - http://catb.org/~esr/jargon/html/S/samurai.html
Cracker - http://catb.org/~esr/jargon/html/C/cracker.html
The irony is that terms like ?ethical hacker?, ?white hat?, ?black hat?, ?script kiddie? have been invented to try and give the public and media more accurate terms rather than slandering the majority of ethical enthusiasts with the actions of the unethical minority. Hacktivism is an oddity in that it?s political activists who?ve adopted tricks developed by ethical hackers. It is the oddity between the anomaly and the proper usage.
Go to the closest thing the community has to a professional journal; www.2600.org (I?ll see if I can transcribe an article or two this evening, they are pretty short and the magazine gives permission for such replication)
A few more sites:
http://artofinfosec.com/
http://www.blackviper.com/News/current.htm
http://www.darknet.org.uk/
http://ha.ckers.org/
www.hakin9.org
http://www.malforge.com/
http://www.milw0rm.com/
http://isc.sans.org/
http://www.schneier.com/blog/
http://www.sectheory.com/papers.htm
http://www.securitytube.net/
http://www.uninformed.org/
Perhaps video of current Hackers though more toward the Hardware Hacker type
http://www.youtube.com/watch?v=58rbVFAroW4
http://www.youtube.com/watch?v=sJ-nyx8Yep4
http://www.youtube.com/watch?v=-gFJ2QfQcb4
http://www.youtube.com/watch?v=_yU1Fi021mM
http://www.youtube.com/watch?v=VWEEXEOQABg
Consider the hacker conferences which have gotten rather big:
Blackhat
HAR
SecTor
Most if not all the people who attend will be hackers applying there mindset to some area of interest or another.
http://www.thelasthope.org/talks.html
Many of these talks have been given at other conferences also. You?ll notice that the overwhelming intent is to understand a thing and where that thing relates to security, how to fix or mitigate it if not at least to be aware of it. Many relate to network administrators who may not have been aware of these issues if not for hackers exploring them.
Steven Rambam does a great talk on information privacy. Adam Savage (the myth buster) does a great talk on hardware hacking though not the electronics or computer type.
From a Black Hat to a Black Suit ? How to climb the corporate security ladder without losing your soul. Sure, the title is a little tong in cheek but the guy is a great example of a security professional who happens to also be a hacker. One of his examples is having a meeting with with a product sales rep and company management. The sales pitch is all roses yet, being a hacker who keeps up with current information, asks if the sales rep is aware of the known flaw in the technology being pitches which is scheduled for a talk at an upcoming security conference.
Perhaps you feel Joe Klein is just another miscreate.. after all, he?s a hacker and the definitions your willing to accept are all related to malicious intent. How about Johnny Long?s No-Tech Hacking talk? If you?ve not listen to it then it should be on your todo list. Get the youtube video from Blackhat if you need more than the audio.
Political Hacker? Arjen Kamphuis has a talk on policy hacking. A good demonstration of someone trying to make things better.
Postal hacking.. good talk by CypherGhost on stuff he?s mail through the postal system.. another example of hacker mindset applied to non-tech.
Project Telephreak ? phone phreaks doing it the legal way.
If you want some accurate and good information, listen to Steven Levy?s keynote address. It?s there for download.
The Zen of the Hacker
?An inquiry into the conditions under which hacker culture thrives, the curiously American quality of hacker culture, and the evolving challenges of preservation of the hacker ecosystem.?
That last one is another must-listen item. Yes, the US founding fathers where political hackers and yes, the US was founded on hacker ethics and values.
Perhaps some descriptions from real hackers?
[Software] ?Hacking is simply banging away on a keyboard until you make the computer do what you want.? ? Eric Raymond
?hacking is simply taking a thing and finding ways to use it beyond how the manufacturer intended it? ? (I paraphrase and leave finding the talk within the Hope talks as a challenge for the reader)
The Oxford dictionary (which includes ?twofour? and ?irregardless?) not written by people knowledgeable about hacker culture. News headlines chosen to generate hype with the goal of selling based on the public?s fear of the unknown.
In all of this, I am suggesting that your accepted definition of the term is extremely narrow if not outright wrong. You seem to find hacking and computer security mutually inclusive while suggesting that primarily, hacking and professionalism are mutually exclusive.
I think one of the best descriptions on the topic comes from the current issue of 2600 Magazine so I?ll see if I can sneak fifteen minutes or so to transcribe it for you.
(Separate from this discussion on semantics, I?m much more interested in your own work as a pentester along with include certifications. Did you go the CISSP route? What are your thoughts on the CEH and CREST route?)
Any time there's a new administration in power, we're likely to see renewed effort to address certain problems. And either a brand new approach is tried or we fall right back into the same old habits. And sometimes both of these happen, leading many to conclude that true change is nearly impossible to achieve.
The recently released Obama initiative on "cybersecurity" could really go either way at this point. If promises of dialog and open-mindedness are held to, we at least have the potential of getting it right. But there are still enough troubling signs overall for us to be seriously worried.
Let's look at policies of the past. In the Clinton years, really the first administration with any sense of computers and connectivity, a lot of potential was lost because common sense was sacrificed to shrill headlines and a sense of panic. Education gave way to crackdowns and prosecution. Rather than foster transparency, Clinton pushed for more control and surveillance under the name of such horrors as the Clipper Chip, CALEA, and the Communications Decency Act. Remarks made by Bill Clinton in 1999 on the subject "Keeping America Secure for the 21st Century" included this gem: "Last spring, we saw the enormous impact of a single failed electronic link, when a satellite malfunctioned disabling pagers, ATMs, credit card systems, and television networks all around the world. And we already are seeing the first wave of deliberate cyber attacks hackers break into government and business computers, stealing and destroying information, raiding bank accounts, running up credit card charges, extorting money by threats to unleash computer viruses." By portraying hackers as sociopaths and by linking them even indirectly to massive technological failures, the seed was planted in many that hackers where the enemy. In this administration we saw more clampdowns and imprisonments of individuals for nebulous computer-related crimes than ever before. Hardly an enlightened approach.
As expected, not much changed in the Bush years. We saw the usual exaggerated statistics to make the public scared of the hacker threat. In the period following September 11, 2001, there was serious fears that the newly formed Department of Homeland Security would treat hackers as if they where equivalent to terrorists. This threat was overshadowed by the attack and wonton disregard for everyone's civil liberties in the name of national security. Hackers were still seen as a threat but now there were so many perceived threats that it wasn't too difficult to prove how ill-conceived the policies were.
So now we have a president who likely understands the Internet better than any of his predecessors. More importantly, he seems to appreciate certain aspects of it that those in power frequently don't get. The concept of network neutrality is one shining example of this. Net neutrality is strongly opposed by the communications giants even though it's how the Internet has worked from the start. It basically puts control in the hands of the users and prevents broadband carriers from discriminating against certain competing applications or content. Obama's position on this remains unchanged as of his May 29th remarks: "I remain firmly committed to net neutrality so we can keep the Internet as it should be open and free." So far, so good.
This is also an administration that supports, at least on paper, the idea of open source software and, by extension, full disclosure. Again, promising. But we're not so naive as to think that there won't be contradictions and exceptions invoked that will anger us down the road. It's next to impossible to have this much power and hold onto these lofty ideals. Which is why our vigilance on these matters is especially important. There will be tremendous pressure to stray from this path and it's up to all of us to ensure that mistakes of previous administrations aren't repeated here.
"Our pursuit of cyber security will not - I repeat, will not include - monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans." These are indeed great words but, at the moment, they are only words. Without any doubt, they will be tested at the first sign of a crisis. That's when we see if they remain only words. Already, the Obama administration has opted to protect the NSA's warrantless wiretapping program in the name of national security. Troubling signs like this make us all the more wary of any promises.
What disturbs us in Obama's cybersecurity plan is that continuing jingoistic approach to the perceived hacker threat. We're quite pleased to see no mention at all of hackers in the main report, but Obama's spoken remarks weren't as tempered. Referring to his own experiences during the campaign, he says, "Between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans." As most of us who read these pages already know, it doesn't take a hacker to gain unauthorized access to a system, particularly one that was obviously so high profile. We have seen numerous examples of employees with organizations (phone companies, Internet providers, etc.) who abuse their access and violate privacy. Does this make them hackers? We also see almost daily instances of nonexistent security where thousands or even millions of personal records are left wide open for anyone to stumble upon, whether it be on an insecure website, a misplaced laptop, or even in a garbage dumpster, to name but a few. Yet, when these egregious violations are eventually uncovered, the threat is deemed to be the "hackers" even when no evidence exists that anyone at all even accessed the information, let alone that they where hackers.
"But every day we see waves of cyber thieves trolling for sensitive information - the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services." It's easy to see the negativity in just about all of these entities. But a "lone hacker?" This is now by default a bad thing? We prefer to think of a lone hacker a thousand miles away as a beam of light and quite possibly the person who can help to find solutions to the very same issues being discussed here.
Hackers will figure things out. They will tell other people. They are the epitome of the open environment that Obama claims to support. They are not the miscreants who profit from corporate espionage, send out a universe of spam, or attempt to cause mayhem through viruses and worms. Over the years, the media has created the perception that anyone causing any sort of mischief on the net or involving a computer is ipso-facto a hacker. This, ironically, leads those very individuals who participate in this sort of destructive behavior into proudly labeling themselves as hackers. But they're clearly not and a mere look at the constant dialog that runs through our pages will show any outsider just how seriously true hackers take this sort of thing. By simply awarding any evildoer with a keyboard this title, we wind up giving them far more credit than they deserve and the people with the real talent are themselves categorized as criminals. This is a surefire way to not only lose the battle but to lose a generation of innovators and freethinkers.
We want to be very clear on this. Many hackers do step over the line. Not so long ago, it was impossible for most curious people to play with a UNIX machine without breaking into one. Communications once were so prohibitively expensive that manipulating one's way around the Bell System was almost a necessity for those who simply wanted to stay in touch and share information. We see how society has changed so that these interests (computer access and free communications) are now encouraged. While mischievous and not completely within the confines of the law, such people were never malicious or destructive. Often they enjoyed and understood the systems they were using far more than the legitimate users and they frequently went on to design better ones. We know that many people have a problem with those who step outside the rules and we don't expect ringing endorsements for their behavior. But what we should expect is for distinctions to be drawn between this sort of thing and antics of idiots, vandals, profiteers, and con men who have always existed and always will. Just because they use the technology does not mean they appreciate it or comprehend it for anything more than their unimaginative goals.
Terms like "digital war" and "cyberterror" are great for sound bites but we need to avoid the tabloid approach in strengthening security or we'll inevitably wind up with ill-conceived legislation and a lot of misplaced fear. Done properly, our ideals have a chance of surviving and many of our nation's brightest could help steer us in the right direction.
Emmanuel Goldstein
2600 Magazine
Volume Twenty Six, Number Two - Summer 2009
(Transcribed here with the often expressed permission of 2600 Magazine. Anyone in the computer security industry should be taking two hours four times a year to read this fine Quarterly publication.)
The recently released Obama initiative on "cybersecurity" could really go either way at this point. If promises of dialog and open-mindedness are held to, we at least have the potential of getting it right. But there are still enough troubling signs overall for us to be seriously worried.
Let's look at policies of the past. In the Clinton years, really the first administration with any sense of computers and connectivity, a lot of potential was lost because common sense was sacrificed to shrill headlines and a sense of panic. Education gave way to crackdowns and prosecution. Rather than foster transparency, Clinton pushed for more control and surveillance under the name of such horrors as the Clipper Chip, CALEA, and the Communications Decency Act. Remarks made by Bill Clinton in 1999 on the subject "Keeping America Secure for the 21st Century" included this gem: "Last spring, we saw the enormous impact of a single failed electronic link, when a satellite malfunctioned disabling pagers, ATMs, credit card systems, and television networks all around the world. And we already are seeing the first wave of deliberate cyber attacks hackers break into government and business computers, stealing and destroying information, raiding bank accounts, running up credit card charges, extorting money by threats to unleash computer viruses." By portraying hackers as sociopaths and by linking them even indirectly to massive technological failures, the seed was planted in many that hackers where the enemy. In this administration we saw more clampdowns and imprisonments of individuals for nebulous computer-related crimes than ever before. Hardly an enlightened approach.
As expected, not much changed in the Bush years. We saw the usual exaggerated statistics to make the public scared of the hacker threat. In the period following September 11, 2001, there was serious fears that the newly formed Department of Homeland Security would treat hackers as if they where equivalent to terrorists. This threat was overshadowed by the attack and wonton disregard for everyone's civil liberties in the name of national security. Hackers were still seen as a threat but now there were so many perceived threats that it wasn't too difficult to prove how ill-conceived the policies were.
So now we have a president who likely understands the Internet better than any of his predecessors. More importantly, he seems to appreciate certain aspects of it that those in power frequently don't get. The concept of network neutrality is one shining example of this. Net neutrality is strongly opposed by the communications giants even though it's how the Internet has worked from the start. It basically puts control in the hands of the users and prevents broadband carriers from discriminating against certain competing applications or content. Obama's position on this remains unchanged as of his May 29th remarks: "I remain firmly committed to net neutrality so we can keep the Internet as it should be open and free." So far, so good.
This is also an administration that supports, at least on paper, the idea of open source software and, by extension, full disclosure. Again, promising. But we're not so naive as to think that there won't be contradictions and exceptions invoked that will anger us down the road. It's next to impossible to have this much power and hold onto these lofty ideals. Which is why our vigilance on these matters is especially important. There will be tremendous pressure to stray from this path and it's up to all of us to ensure that mistakes of previous administrations aren't repeated here.
"Our pursuit of cyber security will not - I repeat, will not include - monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans." These are indeed great words but, at the moment, they are only words. Without any doubt, they will be tested at the first sign of a crisis. That's when we see if they remain only words. Already, the Obama administration has opted to protect the NSA's warrantless wiretapping program in the name of national security. Troubling signs like this make us all the more wary of any promises.
What disturbs us in Obama's cybersecurity plan is that continuing jingoistic approach to the perceived hacker threat. We're quite pleased to see no mention at all of hackers in the main report, but Obama's spoken remarks weren't as tempered. Referring to his own experiences during the campaign, he says, "Between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans." As most of us who read these pages already know, it doesn't take a hacker to gain unauthorized access to a system, particularly one that was obviously so high profile. We have seen numerous examples of employees with organizations (phone companies, Internet providers, etc.) who abuse their access and violate privacy. Does this make them hackers? We also see almost daily instances of nonexistent security where thousands or even millions of personal records are left wide open for anyone to stumble upon, whether it be on an insecure website, a misplaced laptop, or even in a garbage dumpster, to name but a few. Yet, when these egregious violations are eventually uncovered, the threat is deemed to be the "hackers" even when no evidence exists that anyone at all even accessed the information, let alone that they where hackers.
"But every day we see waves of cyber thieves trolling for sensitive information - the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services." It's easy to see the negativity in just about all of these entities. But a "lone hacker?" This is now by default a bad thing? We prefer to think of a lone hacker a thousand miles away as a beam of light and quite possibly the person who can help to find solutions to the very same issues being discussed here.
Hackers will figure things out. They will tell other people. They are the epitome of the open environment that Obama claims to support. They are not the miscreants who profit from corporate espionage, send out a universe of spam, or attempt to cause mayhem through viruses and worms. Over the years, the media has created the perception that anyone causing any sort of mischief on the net or involving a computer is ipso-facto a hacker. This, ironically, leads those very individuals who participate in this sort of destructive behavior into proudly labeling themselves as hackers. But they're clearly not and a mere look at the constant dialog that runs through our pages will show any outsider just how seriously true hackers take this sort of thing. By simply awarding any evildoer with a keyboard this title, we wind up giving them far more credit than they deserve and the people with the real talent are themselves categorized as criminals. This is a surefire way to not only lose the battle but to lose a generation of innovators and freethinkers.
We want to be very clear on this. Many hackers do step over the line. Not so long ago, it was impossible for most curious people to play with a UNIX machine without breaking into one. Communications once were so prohibitively expensive that manipulating one's way around the Bell System was almost a necessity for those who simply wanted to stay in touch and share information. We see how society has changed so that these interests (computer access and free communications) are now encouraged. While mischievous and not completely within the confines of the law, such people were never malicious or destructive. Often they enjoyed and understood the systems they were using far more than the legitimate users and they frequently went on to design better ones. We know that many people have a problem with those who step outside the rules and we don't expect ringing endorsements for their behavior. But what we should expect is for distinctions to be drawn between this sort of thing and antics of idiots, vandals, profiteers, and con men who have always existed and always will. Just because they use the technology does not mean they appreciate it or comprehend it for anything more than their unimaginative goals.
Terms like "digital war" and "cyberterror" are great for sound bites but we need to avoid the tabloid approach in strengthening security or we'll inevitably wind up with ill-conceived legislation and a lot of misplaced fear. Done properly, our ideals have a chance of surviving and many of our nation's brightest could help steer us in the right direction.
Emmanuel Goldstein
2600 Magazine
Volume Twenty Six, Number Two - Summer 2009
(Transcribed here with the often expressed permission of 2600 Magazine. Anyone in the computer security industry should be taking two hours four times a year to read this fine Quarterly publication.)
almost 30 years that to infer that hacking is in anyway not kosher and acceptable, is not being professional.
The pro's I've studied under have an extreme disdain for the way the news media, and Hollywood have butchered the term.
And of course, unfortunately, now have prejudiced the term beyond all repair. To coin the popular term will get you a door closed in your face, though. Not a good way to start out with the good 'ol salty dogs!
The pro's I've studied under have an extreme disdain for the way the news media, and Hollywood have butchered the term.
And of course, unfortunately, now have prejudiced the term beyond all repair. To coin the popular term will get you a door closed in your face, though. Not a good way to start out with the good 'ol salty dogs!
I agree, nothing is perfect ... actually nothing in computing is a certainty!
However, that does not mean that macilous hackers are going away anytime soon.
We have access to most, if not all the tools that hackers use to gain entry to systems. We have to be proactive about treating security seriously ... too many admins try to make their lives easier at the expense of security. Management needs to focus on each role and understand that admins are about getting things done - they are often under fire if they miss deadlines. Therefore a person or group is needed to ensure that all devices linked to the internal and external network points is complying with a security standard. This person or group should have access to common hacker tools which are used to identify weaknesses and all proactive changes to take place that would plug these holes.
Security is a risk vs. effort trade off like most things in computing ... going after the last 10% of holes can take a proportionally large amount of effort to do ... so take care of other 90% first ... this example was about using ftp to remotely access a server ... it would not even pass another admins cursory security check, let alone a tool or security person who is specifically targeting this type of flaw.
You have to remember the hackers are not god like creatures, we have access to everything they have, they just spend more time to focus on hacking, we have to get one step ahead and make sure our admin duties do make their lives easier. There are probably only a small of hackers who have genius like ability to crack things ... most are following well worn paths that most admins should at least be aware of and better yet ensure they cannot be victims so easily as the example in this thread.
However, that does not mean that macilous hackers are going away anytime soon.
We have access to most, if not all the tools that hackers use to gain entry to systems. We have to be proactive about treating security seriously ... too many admins try to make their lives easier at the expense of security. Management needs to focus on each role and understand that admins are about getting things done - they are often under fire if they miss deadlines. Therefore a person or group is needed to ensure that all devices linked to the internal and external network points is complying with a security standard. This person or group should have access to common hacker tools which are used to identify weaknesses and all proactive changes to take place that would plug these holes.
Security is a risk vs. effort trade off like most things in computing ... going after the last 10% of holes can take a proportionally large amount of effort to do ... so take care of other 90% first ... this example was about using ftp to remotely access a server ... it would not even pass another admins cursory security check, let alone a tool or security person who is specifically targeting this type of flaw.
You have to remember the hackers are not god like creatures, we have access to everything they have, they just spend more time to focus on hacking, we have to get one step ahead and make sure our admin duties do make their lives easier. There are probably only a small of hackers who have genius like ability to crack things ... most are following well worn paths that most admins should at least be aware of and better yet ensure they cannot be victims so easily as the example in this thread.
I've even managed to keep ftp deamons that will do sftp off my servers in favor of the existing ssh and only a rare user having need to sftp anything over in the first place. FTP and clear text protocols should be caught and irradicated by most administrator's checklists. Heck, I'd end HTTP in favor of HTTPS in a heartbeat.
(The only thing I'd argue with is the idea that Hackers are inherently evil. It's more accurate and does average users more good to simply refer to malicious intentions by the correct term; criminal. No need to make it all romantic and cybery-cool sounding just because they use computers.)
(The only thing I'd argue with is the idea that Hackers are inherently evil. It's more accurate and does average users more good to simply refer to malicious intentions by the correct term; criminal. No need to make it all romantic and cybery-cool sounding just because they use computers.)
As administration is a dieing art, all botnets should be licensed. "Yes Licensed"
There is no need for the creation of a botnet unless your running Google,Yahoo or Bing.
There is no need for the creation of a botnet unless your running Google,Yahoo or Bing.
I haven't read the details but I will tomorrow. If you're correct about this being done through root ftp access, that person was asking for it.
And you can chroot with just about any ftp server vsftpd included; however, you don't allow root ftp access.
And you can chroot with just about any ftp server vsftpd included; however, you don't allow root ftp access.
I use Linux, and though I feel it is at least an order of magnitude more secure than windows, I am under no illusion it is bulletproof. See http://www.darknet.org.uk/2009/08/serious-linux-kernel-vulnerability-for-all-2-4-2-6-kernels/ or http://isc.sans.org/diary.html?storyid=6820. As far as ftp, unless it is encrypted first, my understanding is data passes over the wire in plaintext, viewable with a sniffer. Much better to use ssh (sftp), perhaps set up as in Vincent Danen's article http://downloads.techrepublic.com.com/abstract.aspx?docid=372724 where users are not even given shell access but still can post and retrieve files. For those still stuck with legacy OS's like WinXP or (Hasta La) Vista, Filezilla is an excellent sftp client.
Our Netgear firewall started sending garbage log files. I checked for a firmware upgrade and it said there were vulnerabilities and a firmware upgrade was needed.
What next?
What next?
Managements' job is to evaluate risks and implement processes to minimize risk.
If there wasn't a culture of risk management and process that supported the those goals then the problem likely stemed from bad management.
If there wasn't a culture of risk management and process that supported the those goals then the problem likely stemed from bad management.
I still struggle with many clients...and before...bosses...who want I.T. to be an "it's broke and your job is to fix it" mentality.
We fail to convey the fact that management/user cooperation is necessary for I.T. to work. They want us to be washing-machine repairmen and we let them have that illusion.
I'm not saying it's always our fault. Sometimes it is.
I had a conversation with a client this morning that wanted me to say what she wanted to hear. It involved something we always deal with...a generalized scenario in which she wanted to know if I could do something cheaply...with incomplete information.
My answer, I don't know, I'll have to look at the details of the situation.
Not what she wanted to hear but the truth.
Too many I.T. folks say, "Sure, I/we can do that."
You might say how does that relate to this break in? Based on the information we have, it doesn't. But it does relate to comments about patching and updating because I can't tell you how impatient many managers can get over and update that breaks something, even if it's temporary.
We've allowed a lot of folks to think I.T. is just "fixing" computers. It's not. That's actually a very small part of it.
We fail to convey the fact that management/user cooperation is necessary for I.T. to work. They want us to be washing-machine repairmen and we let them have that illusion.
I'm not saying it's always our fault. Sometimes it is.
I had a conversation with a client this morning that wanted me to say what she wanted to hear. It involved something we always deal with...a generalized scenario in which she wanted to know if I could do something cheaply...with incomplete information.
My answer, I don't know, I'll have to look at the details of the situation.
Not what she wanted to hear but the truth.
Too many I.T. folks say, "Sure, I/we can do that."
You might say how does that relate to this break in? Based on the information we have, it doesn't. But it does relate to comments about patching and updating because I can't tell you how impatient many managers can get over and update that breaks something, even if it's temporary.
We've allowed a lot of folks to think I.T. is just "fixing" computers. It's not. That's actually a very small part of it.
He's the Scottish hacker who brought down loads of servers in the DoD and NASA looking for evidence of Alien contact. I read somewhere that one of the things he was doing was looking for administrator ids with no passwords - and he found shed-loads of them - enough to earn a good few years in jail. Perhaps a mandatory sentence for sysadmins who don't set proper passwords would be better.
This guy, cursed with Aspergers Syndrome, didn't even hack inthe true sene of the word. All he did was try a couple of default usernames and passwords and he was in!
And now he faces 70 years in jail in the US for lazy, apathetic administrators!
And now he faces 70 years in jail in the US for lazy, apathetic administrators!
Not a hacker by any means, just a guy with a computer that tried already known weaknesses and got lucky.
Sadly, he'd have been just as villianized had he only broken into one US Gov computer. The military doesn't have any sense of humor about that sort of thing.
He should be held accountable for his actions but like similar cases, the penalty far exceeds the crimes vomited.
The media doesn't help his case by constantly calling him a Hacker and always using one of three evil looking stock photos.
I agree, the real issue should be why such computers where left wide open by irresponsible administration.
Sadly, he'd have been just as villianized had he only broken into one US Gov computer. The military doesn't have any sense of humor about that sort of thing.
He should be held accountable for his actions but like similar cases, the penalty far exceeds the crimes vomited.
The media doesn't help his case by constantly calling him a Hacker and always using one of three evil looking stock photos.
I agree, the real issue should be why such computers where left wide open by irresponsible administration.
Aspergers makes someone obsessive about a particular subject, in this case, a search for extra-terrestrial life. It did not make Mr McKinnon a hacker. It became a tool for him to achieve his compulsive end.
What does getting real have to do with that?
What does getting real have to do with that?
so, because someone obsessive about a particular subject, they commit crimes?
Dear oh dear.
And after comming the crimes they should get away with is beacuse.....?
Then suddenly we all have....
Dear oh dear.
And after comming the crimes they should get away with is beacuse.....?
Then suddenly we all have....
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
