Ex-hackers 'rubbish at security'

Started by Metgod, November 05, 2003, 01:15:01 PM

Previous topic - Next topic
I find this to be a really amusing article.. it actually reminds me of Taz's quote about a good hacker and a great hacker... it makes perfece sense.

I must say though, that while a lot of the time the points made in this article are true (to a degree), with increasing forensics and other things such as that (and more awareness [though not too much heh]), it's not always true anymore. Besides, we all know some really good ones in the past have been caught... because of 'hacker wars' AND EVERYONE MAKES MISTAKES IN LIFE... but still quite some interesting points, and to me, very amusing..

I think this is VERY accurate, however, about worm / virus / trojan writers (I'd say Backdoors too but I don't think that's always the case) and more importantly: about script kiddies (including DoS/DDoS kiddies) and web defacers (which I'd say are script kiddies anyway)...

And one thing is very clear: it is indeed true that just because someone knows how to break security, does not mean they know how to protect.. but I think it's VERY important that someone who protects does understand how to break in.. BUT they must understand how or why it works and how to protect as well. Just think of Dan Farmer (and his colleague who I can't ever remember how to spell his name..)'s paper on _Improving the Security of your Site by Breaking in to it_


Any thoughts or comments ?
(oh and I'm making a few comments below too..)

cheers,
Met.


http://www.pcw.co.uk/News/1147140

By Iain Thomson
[04-11-2003]

Companies should stop hiring hackers to beef up security - not for
ethical reasons but because they are no good at it, according to
experts.

[ not always true.. ]

Delegates at the RSA Security Conference in Amsterdam heard a panel of
reformed hackers, police officers, members of the legal profession and
corporate security experts launch scathing attacks on the abilities of
most hackers.

[ then are they real hackers ? probably depends on who you ask i guess... ]

The skills that make a good hacker are not the same as those required
by an IT security officer, delegates were told.

"Everyone thinks that if you know how to break into a system then you
must know how to protect one. It's rubbish. I could teach a monkey to
break into a system in four hours," claimed Ira Winkler, chief
security strategist at Hewlett Packard.

[ Yeah, right. I believe THAT one.. four hours my ass.. you couldn't teach anyone (or any thing) everything in that time. you might be able to teach a few exploits but i bet this monkey couldn't break into more protected systems..]

"While there are highly skilled technical hackers out there, they are
the ones you never know about because they don't get caught."

[ as with everything in life.. this isn't always true.. there are exceptions. and even the most highly skilled hackers can make simple mistakes.. it's a fact of life. ]

But most hackers are IT professionals in their 20s and 30s, suggesting
that companies may be late in their realisation that cyber-poachers do
not make good cyber-gamekeepers.

[ oh yeah ? then what age would be important ? It depends on how many years of experience and just because someone is 'young' does not mean they are not highly talented, able and knowledgeable people... Does anyone here believe this claim.. I know that a lot of us here are in 20s or 30s... ]

"Why would you want to employ a hacker with a criminal record, i.e.  
someone so bad they'd been caught?" asked Tony Neate, industry liaison
officer at the National High Tech Crime Unit.

[ sometimes it takes years to catch them.. that's pretty good I'd say.. many people know their stuff well and the only way they get caught is  advanced technology. ]

"After all, if a bank is looking to employ a security guard they don't
try and find a former bank robber to guard their safe. Companies must
be sure that they know their staff's backgrounds."

[ I don't even think this has anything to do with this; i.e., I think this is a bad example. maybe I'm wrong though.. but it seems like a bad example. This is completely different. One crime, the person is physically there, the other one, the person is not. And lets always remember that some (not all and in this case it's probably not true) people CAN reform and be VERY good people.

Oh and I find it funny how this person mentions a company must understand the background, and yet so many companies are broken into by their OWN employees.. even if the background is know. So much for that argument. Still interesting though.. ]

Checking employees was highlighted as essential, but there was a gap
in the law as juvenile criminal records are sealed when the
perpetrator reaches adulthood.

[ I wonder why... ]


But a quick search of the internet using a web or newsgroup search
engine should reveal details of a person's hacking history, if it
exists.

[ should and will are two different things.. ]

"My Terminal is my Soul"

SMF spam blocked by CleanTalk