lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: Security Industry Under Scrutiny You have a clear point here. Knowing the enemy is essential. But looking at it statistically, there are a lot of criminally inclined people, but only very few spies. People in intelligence are usually very dedicated but dull professionals, and would hardly qualify for this definition of spies. Most people in the CIA do deskjobs, and even in more exciting outfits like the Mossad or the Suret?, the majority of the work is gathering information by munching paper and wiretaps, hardly any James Bond or Reilly stuff. Maybe the people disappointed in intelligence work become hackers - nah, just kidding. These narcissistic, paranoid, antisocial etc, people do exist, but I doubt if there are many. And only few of them will be into computers, since this type of person has a wide range of career opportunities - politician, lawyer, actor, football, boxing, but to name a few. If you are reffering to industrial espionage, this is a different case. But for that hacking on a network is much less effective than some social engineering and financial lubrication, or Carnivore. And again, the computer security industry which is supposedly under scrutiny, rarely touches on this and comparable issues - it is fighting viruses and selling VPN's to spend less money on dial in servers and phone lines, using encryption that dedicated ASIC machines can break in a few minutes. Yes, but only governments have the budgets required, so there is no problem. Look at the revenues - the other parts of IT security is peanuts. MSSP's would boom said Gartner - didn't happen. PKI would rule, hasn't happened in over 20 years. AAA and personalisation would be the next killer app - it ain't happening. Securing the DNS system should be issue nr.1, they said. Nothing changed. Bin Laden would launch major cyberattacks in a matter of weeks - again nothing. Everyone would go Common Criteria or ISO17799. They don't. Tons of money have been invested to cash in on these things - wasted. Real things happened in security, but not in information security. Like I said in my previous posting in this discussion, maybe we are just not that important. Hence, the discussion about blackhats and whitehats cannot be that important. It does prove that in the IT security business we are narcissistic and paranoid - just looking at our own small world, getting status by pointing out the risks to any one listening, seeing dangers under the bed. Apparantly some intelligence outfits do industrial or commercial espionage with computers - like the dutch version of the NSA, the AIVD, reported. But the bad guys referred to are the americans (the advice was not use major software companies' software because it might be contain backdoors and you don't get the source, and since most major software companies are american ..., well, you get it). Yes I am paranoid, but I work in the IT security industry, so that doesn't count. I write long postings on this list, so I probably am narcissistic. My colleagues tell me I am anti-social. Yes, you are right, the espionage prone type will work in the industry. I think the scrutiny should be: why doesn't the industry go for the real issues in information security. My guess is because they cannot be solved with a computer program. Basically we are just IT people selling another type of programs. It truly is like the cartoon said: e-business didn't work, Y2k is over, let's do security. So we hype and hyperventilate. And we are missing the real issues. ----- Original Message ----- From: "ratel" <ratel@...lvault.com> To: <> Sent: Wednesday, January 22, 2003 9:35 PM Subject: [Full-Disclosure] Security Industry Under Scrutiny #4 > -----BEGIN PGP SIGNED MESSAGE----- > > >Interesting point - the motives of the criminal. The motives are part > of > >the key to this problem, the other part is effectiviness. The essence > is - > >for a criminal - is making crime pay, like Perry managed, and get away > with > >it, where Perry flunked. > > The main problem with the rest of your post is that you're trying to > equate the psychology of hacking with the psychology of crime when a far > more appropriate analogy is the PSYCHOLOGY OF ESPIONAGE. A substantial > overlap with the common criminal to be sure, but an entirely different > kind of beast. I like to think so, anyway. Did you know that people > prone to espionage overwhelmingly share an unusual combination of three > personality disorders: narcissistic, antisocial and paranoid. > Narcissistic, antisocial and paranoid? Imagine that! Sound like anybody > you know in the security business, hmmm? heh. > > There's a huge body of literature out there on this you can find on your > own, if it interests you, knock yourself out: you might be surprised at > what you come up with. Here's a start--a lot of great information which > also has the added benefit of being unintentionally funny as hell... > http://www.dss.mil/nf/adr/. As far as I'm concerned, the only difference > between sophisticated hackers and high-impact spies is a matter of the > environment they find themselves in. Likewise, script kiddie carders > correspond to dumb grunts caught selling secrets to make a fast buck. > Etc. etc. draw your own parallels. > > Is it any coincidence that that Robert Hanssen was planning on taking a > job in the computer security industry? > > I think not. > > Ratel. > > > -----BEGIN PGP SIGNATURE----- > Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com > > iQA/AwUAPi8AXOYNtyh3zif9EQIpnQCfZ61wTbxSoW2LSTYLrJuXy2RmdCAAoKU+ > T7VqUwAVLKw6ySON1Apcya1y > =h1DV > -----END PGP SIGNATURE----- >
Powered by blists - more mailing lists