OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Extreme Hacking

Re: Extreme Hacking


Marcus J. Ranum (mjrnfr.net)
Mon, 05 Jul 1999 16:26:55 -0400


>Ernst & young made headlines in TIME when they offered the first run fo
>their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to
>take home. The participants are somewhat screend by having to be referenced
>by local the local EY office. Recently, I was told attendees learn new
>exploits and hacks that we will probably only see out in the open in 1-2
>years.

I have to remain a little sceptical on this point. What I think
they mean is that they invented a few tricks of their own, which
they aren't planning on publishing -- they'll leak out pretty
quickly, once the class has run a couple times. I find it hard
to imagine that teaching something in a class is a good way
to keep it a secret.

>So, the question arises: what other companies have such
>DBs?

A number of "reputable" security companies develop their
own hacking techniques. I'm not sure what the justification
is -- other than that it just comes naturally, since they
tend to hire "ex-"hackers. It'd be unrealistic to expect
those guys to stop thinking in terms of how systems are
broken into, and to shift their thought-patterns into thinking
about how to keep systems secure.

>What are they worth? And the real issue: is there anything in there you
>won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.

Am I the only person who has a problem with the idea of someone
teaching hacking techniques? Sometimes I think I am.

Hacking isn't a technological problem, it's a social problem.
As such, it's not going to be "solved" by technological means,
but rather by social means. I'm pretty sure that the best way
to reduce the amount of hacking is _not_ to glorify it, charge
people money to learn it, and hire people as consultants for
lots of money because they have hacking backgrounds. The only
way I can think of to make hacking unattractive is to make it
really really expensive when you get caught.

Here's a thought: when one of us gets broken into using one
of the secret new techniques that E&Y is teaching, let's
sue E&Y for developing it and disclosing it irresponsibly.
They've got deep pockets. We're working in a legal environment
where gun manufacturers are sometimes held accountable for
the actions of their guns - it should be a dead simple argument
that E&Y should be held accountable for the actions of
their hacking techniques, and/or anyone and everyone who
has been through their training. Thought provoking, huh?
I know a good ambulance chaser lawyer, who'll work for %33
of the take...

mjr.

--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:02 CDT