| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: avalon at caligula.anu.edu.au (Darren Reed) Subject: USDOJ BRAINWASHING TECHNIQUES In some mail from KF, sie said: > > > The fact is it we need to take measures that help children > > understand hacking. This is hardly an issue of brain- > > washing. It is an issue of survival as a society. The more > > we help children understand about malicious hacking, the > > less likely they will perform these acts later in life. > > That only benefits society on a universal scale. > > Imagine if they would have done something like that with future <insert > company name here> coders... Impress into their brains to not code > security holes in to <web server xyz> in the first place. > > > Imagine if someone could have swayed the group of "hackers" > > that destroyed a laboratory's long-term cancer research by > > teaching them the necessity of universal survival as children. > > How about if they swayed the admin (as a child) to just patch his box up... > > Don't get me wrong...I will agree that educating children to not hack > *could* cut down on attacks however it does nothing to stop the > vulnerabilities that exist in soooooo many products. Time would be > better spent educating the kids about how vulnerabilities are caused and > what they could do to help prevent the issues to begin with. Teach these > kids to not use strcpy into a fixed buffer or something. The nature of this discussion is disturbing and you've mixed up a number of completely different problems into the one paragraph, as if they were somehow an excuse to not promote hacking as bad. Furthermore you have trivialised a number of points that are serious issues for the IT industry, as a whole. 1. Hacking *IS* bad and if children for some reason think it is cool then they need to be educated so that they understand it is NOT. There is no two ways about it. At the small end of the scale, I don't even view unauthorised port scanning as morally acceptable (even if the courts don't find it illegal), never mind actually breaking into one. It is an invasion of privacy, no two ways about it. The presence of software bugs is not an excuse to exploit them. 2. Secure progamming is something that needs to be taught at a level that is appropriate and that is definately not primary school or maybe even grade school. The problem is children who think they can program teach themselves bad habits and these bad habits do not get corrected later as they go on to become professional programmers. Regardless of talent, you should not be allowed to develop commercial applications as a programmer unless you have been properly schooled and thereafter stay current. That aside, security bugs can be much more than just a buffer overflow. What is really being said here is that software is not tested/evaluated to a high enough standard before being sold/shipped - this includes open source products. 3. In my eye, it is glaringly obvious that we (the royal we) do not yet have a sound foundation for what makes up good system administration practice. In part the problem here is that people are encouraged to believe just anyone can do it or, rather, that just anyone is expected to do it (e.g Microsoft Windows 2000 and later for "home".) Just to leave you with an end teaser, consider what it would mean if software sold could not disclaim fitness for purpose. Darren
Powered by blists - more mailing lists