OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: "Black Hat" v "White Hat"
From: J C Lawrence (clawKANGA.NU)
Date: Tue Oct 17 2000 - 01:05:43 CDT

On Thu, 21 Sep 2000 22:21:26 +0100
GBH <gbhMAITLAND.DEMON.CO.UK> wrote:

> Do the people on this list worry about the origins of the people
> who code their respective IDS products?

I don't.

> Does anyone else suspect, as I do, that a proportion of the actual
> "techies" in the backrooms of these organisations were at some
> time, or may still be, part of the hacker community in some way?

Ignoring the definitional abuse of the term "hacker", in general
no. I look at it this way:

  An individual, publicly known to have previously been a system
  cracker, published IDS code. He really has two options:

    1) Write the best code he can, that does what he says it does,
    and thus improve his reputation and life chances. He is, after
    all, in a sense, permanently on trial in this field now, sad as
    that may be.

    2) Try and get away with something by leaving a backdoor in his
    code and hope that nobody notices.

I'm generous enough to expect that #2 is going to be vanishingly
rare. I'm also personally generous enough to like to presume well
of people. I'm not going to think that it will never happen, but
I'd rate the odds of it occuring in the sub 0.1% range. Security
after all is a question of intelligent risk assessment.

> Have any of you seriously tried to research the staff a company
> has or even thought twice before buying a particular solution
> about the integrity of the coders or staff?

Yes. I loosely follow the activities of people like L0pht (not to
tar them with the "system cracker" brush) etc and acknowledge their
persistance and ability in specific areas. I certainly trust their
statements and activities far more tha I do most large commercial
systems vendors (for instance). Again, this is a question of
intelligent __informed__ judgement.

Your views may (and likely will) vary from mine on various aspects
of system security. In this field I trust that they differ because
after careful examination and deliberation over the actual evidence
and behaviours you arrive at a intellectually supportable different
position.

I'd hate to see system security become a question for the fashion
police, be the moral fashion police or crypto-nazis.

> Has anyone here ever been influenced by the suspicion or proof
> that hackers are at work on a particular product?

Yes. On odd occassion I have specifically chosen tools because I
knew of their authors prior-life activities and trusted their
detailed assessments of the area.

> For my own opinion I think that there are varying degrees and
> things are not just black and white. To my mind there should be
> sufficient change control and peer verification that no malicious
> hacker could get code into a live product in order for him to
> exploit. Add to that, that "black hat" developers can be every bit
> as good or better than their out and out "white hat" counterparts
> and it muddies the water even more.

Perhaps this becomes a little clearer if we rephrase the question
slightly:

  1) Can people change?

  2) Is it correct to judge a tool by its behaviour, or by the past
     activities of its author?

FWLIW my answer to #1 is "Hell yes!". I should note that if it
weren't I'd be having a hell of a tough time in life right now.

As for #2. Yes, it is a data point. Just as if this were this a
previously unpublished crypto algorithm that I'd partially judge of
the rigorousness of its author's prior crypto work,
_IN_THE_ABSENSE_OF_OTHER_DATA_ I'm going to judge based on the
histories of its authors. That judgement might be positive, and it
might be negative. The greater the possible public scrutiny of the
tool, and the greater reputational and personal relation systems
play in regards to that tool ("dick size wars" if you will), then
the more likely that judgement is to be positive.

However, I note from a social engineering 'hack' vantage, that
successfully hacking the security community into accepting and
trusting a hacked tool carries serious status points.

> P.S. PLEASE don't start naming particular vendors unless its
> absolutely necessary.

I won't.

Perhaps the most interesting aspect of your question and the
subsequent responses to it is that they all (rare exceptions) look
at it as a technical question. It really isn't. Its a social
engineering question. This is not a question about a possible
design or implementation compromise in a tool, but in whether a
specific human *SYSTEM* (not individual, but system) is trustworthy
in specific regards.

Its a very human question -- and man is prone to witchhunts. 

--
J C Lawrence                                 Home: clawkanga.nu
---------(*)                               Other: coderkanga.nu
http://www.kanga.nu/~claw/        Keys etc: finger clawkanga.nu
--=| A man is as sane as he is dangerous to his environment |=--