OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Extreme Hacking

Re: Extreme Hacking


dreamwvr (dreamwvrdreamwvr.com)
Fri, 09 Jul 1999 10:33:17 -0600


hi all,
>> Knowing the potential vulnerabilities of a system is the first step towards
>> making it secure. It's even better if you can get ahead of the curve and
>> discover new methods of breaking into a system that aren't yet public
>> knowledge -- your systems will be that much more secure. Who better to
>> secure a system against crackers than a cracker, provided you trust them?
i would have to agree here that is why apparently janet reno hired some to
test some .gov networks fairly recently. you need IMHO a person that thinks
like a hacker to protect your networks. This is something i was accused of
when going to school many years ago:-{ The mentality of many system admins
is that if you think like a hacker you are a hacker. To many this is down
right wrong and will disuade many that could otherwise contribute to refrain
simply from past experience. having said that the mindset of many
administrators
must change if there is even the foggiest hope of 'some more' security than
exists today. How many times have you had the individual with can piss the
farthest get more in the way of your mission than assist simply due to no
understanding in this arena. With the result that we are all lesser for it:-(
>Knowing how to break into a system does not provide knowledge in making it
>secure. Whilst there is definately some feedback between the two, one does
>not imply the other. For example, how does knowing to run program B with
>host X as the target, resulting in shell access help me in securing it ?
>Disabling and removing what ever is responsible for allowing program B to
>work is not an acceptable answer.
yes but if you are able to demonstrate or articulate the exploits this
will often be enough to get upper management to sign on a project. otherwise
it is simply another story that they will balance off according to the
tangible effect on their bottom line. let me ask you this? how many of
the consultants truly have carte blanc? So as a result we all lose in
batting down the hatches;-} i guess what i am saying is heresay is often
taken lightly without tangible proof. Also the decision makers are constantly
being bombarded with propaganda from every selling of snake oil to the
fountain of youth..:-/
>> See above. It's one thing to teach someone how to secure a system, but if
>> they don't know *why* what they're doing will secure it or further be able
>> to notice other vulnerabilities in the system that weren't pointed out to
>> them then at best they will be a second-rate security expert.
i would agree here that the need is to understand the "Why 4 HOW COME"
most times IMHO if you don't understand the problem you can't really
come up with a good solution. probably the best security is the virtual
network though which i gather most of us are running 2 at this time;-)
so how can we improve be remaining flexible. i do think though that many
that take this wallet thinner will be more enlightened as they would not
take a course like that unless they were having difficulty in understanding
what they were protecting against. E&&Y is simply riding the wave of
insecurity that the corporate world is dealing with right now. I am not
so sure that if i were a public company i could resist the temptation as
well. After all they do have to keep their shareholders happy don't they.
What depresses me often times is the impression that if you are the
'Golden Arches' you make a better burger || for that mater know how;-(}
>But E&Y aren't teaching you how to secure a system, they're teaching you
>how to commit a crime, unless breaking into systems isn't a crime where
>they're taking those classes.
how much can they truly teach in a few day course? how long did it take you
to understand the problems with TCP/IP ? How long did it take you to
understand
what is occuring under the surface in UNIX? if you are anything like me it
surely wasn't overnight and i am still learning something pretty much
everyday.
IMHO if your not your dead in the water..
>> I also don't mean to glamorize crackers (hackers are people that write
code,
>> why is the terminology so often messed-up?) but in all honesty the vast
>> majority of them aren't motivated by maliciousness so much as a desire to
>> see if it can be done.
again i would agree here there are many... many that are simply interested
in how the system gets the work done. inquiring minds want to know. since
hollywierd has obfisciated for the masses the original concept of the hacker
as opposed to the cracker we are left with a even more confused public. They
often think they are the experts since they saw it on 'investgative reports'
&& i didn't since i was hiding behind one of my cpus at the time;-]
In something that recent legislation
>here in Australia brought up, it's against the law to publish a book which
>is instructional on committing a crime. The Internet has changed all that
>with instructional pages on just about everything under the sun available.
>I don't know if it's the same elsewhere with books, but condoning the
>disemination of knowledge about how to break the law seems somehow flawed.
that is what democracy is about. freedom to choose either wrongly or
otherwise.
where does it end when we all have a invisible tattoo on our forehead?
that is a bit hypocritical as well considering that Australia in recent
history
used to check the palms and eyes of all immigrants to determine whether they
were acceptable. i surely won't go further on that line. then again i saw
that one on a recent documentary so maybe that too is a story:-} Somehow i
doubt it.. Ever Read Fahrenheit 251? enough said..
                                                                Regards,
                                                                dreamwvrdreamwvr.com
Reuters, London, February 29, 1998:
Scientists have announced discovering a meteorite which will strike the
earth in March, 2028. Millions of UNIX coders expressed relief for being
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
  TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
           <http://www.dreamwvr.com/services/MAX_SEC.html>
   DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvrdreamwvr.com>
 -> Linux-Mandrake Solution Provider and North American Distributor <-
        <http://www.dreamwvr.com/mandrake/mandrake-dist.html>
  "As Unique as the Company You Keep." "===0 PGP Key Available
________________________________________________________________________
                                                                   



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:02 CDT