Believe it or not, there are hackers lurking everywhere

[InfoSec News <isn () C4I ORG>]

http://www.globetechnology.com/archive/gam/News/20000822/ROUTS.html

PERSONAL VIEW

"PALANTE"

Tuesday, August 22, 2000

Two things come to mind when reading Victor Keong's recent Personal
View (Don't Hire DefCon Hackers -- Aug. 8). First, the author's firm,
as reputable as it is, obviously has a financial interest in companies
not contracting elsewhere. Second, from his vivid description of
DefCon, it sounds as though the author attended the hacker conference.
Does that make him a DefCon hacker, or just "everyone else" that was
there?

By my interpretation of the article, there are two reasons why a
company shouldn't hire DefCon hackers. These are the people
responsible for problems in the first place, who irresponsibly and
recklessly release damaging exploits for their own purposes. And if a
company is worried about a security threat, why hire a bunch of
rebellious misfits to help when it can get respectable people, such as
the author's firm?

I have a different view on both items.

I think it's safe to say that most members of the hacker or "black
hat" community have long since lost faith in vendors' incentives to
secure their products just for the sake of quality. In reality, it is
corporate cost management and lack of priorities that have placed
their customers in danger. I've seen serious yet easy-to-fix known
vulnerabilities go unfixed by vendors for three or more years through
multiple product revisions.

Imagine if bridge builders erected their structures in secret using
proprietary plans and refused to subject them to outside inspectors.
And what if the bridges had a history of collapsing and killing
hundreds at a time? Would you blame the bridge builder, or would you
blame the people who prove they can collapse that bridge when, where,
and how they want, and that it's really not safe yet?

When it comes to hiring hackers, remember that we're talking about a
company paying someone to tell it about risks it may not even know
exist. The more a company's consultant knows about such "black arts,"
the fewer unknown risks there will be. The very nature of the subject,
however, means that the people who know the most about new holes are
the people who find them, the people who incessantly tinker, poke, and
study. That's a hacker. The hackers who tinker, poke, study and write
code the most -- or the best, I should say -- are also the ones most
likely to have connections to the computer underground, and who
advocate full disclosure once they discover things.

So when I hear a company say it doesn't hire hackers (or "black hats,"
or whatever) to conduct information security assessments, my first
thought is that it's lying or it's naively ignorant of who works for
it.

The real question is not whether a consulting firm has hackers,
crackers and black hats, but rather why a business should trust them?
The business should ask for resumes and look into the consultant's
reputation, but it shouldn't assume that the DefCon people it hears
about aren't the same people who work for respectable security
consulting companies.

And by the way, I secretly wear DefCon T-shirts under my consultant's
attire. It's a matter of mindset, you see.

"Palante" is a pseudonym. The author is affiliated with hacker
collectives Ghetto Hackers and Subterrain Security Group, and works
full time in an unnamed Fortune 500 company's infosec consulting
division.


Report on Business welcomes Personal View submissions. Submit to
pnowak () globeandmail ca

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".