[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2FE3228499A87F47ADF0B903A063D7450577A3E6@bdo-syd-nt-02.bdonsw.local>
Date: Thu, 16 Feb 2006 08:54:51 +1100
From: "Craig Wright" <cwright@...syd.com.au>
To: <self-destruction@...best.com>, <bugtraq@...urityfocus.com>
Cc: <mjr@...um.com>
Subject: RE: Vulnerabilites in new laws on computer hacking
Hello,
I will apologise in advance as this post is a demonstration of
ignorance, inexperience and just a plain lack of knowledge of reality.
This is akin to stating that Police in a robbery and assault division
would be more effective if they have experience. Should we also extend
this to murder? Should we only choose those with criminal records for
places of trust and responsibility?
Marcus Ranum who is generally respected in this industry has stated
""Hacking is Cool" is a really dumb idea." He has also said "If you're a
security practitioner, teaching yourself how to hack is also part of the
"Hacking is Cool" dumb idea." I prefer his motto..."Good Engineering is
Cool".
"If you hire someone that has never broken into a system, this guy will
not be able to produce valuable reports for customers because he will
not be able to find vulnerabilities that can't be found running a
scanner."
The quote above is wrong. Empirically and categorically wrong. This is a
case of blind assertion with no proof let alone evidence. Lets look at
things a little scientifically. For all you hope to demonstrate with
this style of pen. test you are only as effective at best as a poorly
run hands on vulnerability based risk assessment. Statistically a pen
test will find 33-37% of the total systems vulnerabilities based on a
system set-up to the SCORE configuration standards.
Next they have no risk process. The likelihood is not taken into
account, the threat is not analysed based on a scientifically sound risk
model. You are selling FUD. This damages all security professionals. But
than you are talking about "crossing the line" so I guess this means
that you are not acting professionally.
"malicious, but that do cross the line sometimes" - or they are willing
to break the law a little! Ethics - how many of you subscribing to this
idea have a professional qualification? Please hand it back if you do as
you have missed the ethics clause.
Maybe Marcus would like to comment on this?
Regards,
Craig
-----Original Message-----
From: self-destruction@...best.com [mailto:self-destruction@...best.com]
Sent: 12 February 2006 3:35
To: bugtraq@...urityfocus.com
Subject: Vulnerabilites in new laws on computer hacking
It'd be interesting to see if this post gets approved by the moderators
of bugtraq.
As all of you know, this forum (bugtraq) is constantly monitored not
only by crackers and infosec professionals, but also by government and
law-enforcement agencies.
The reason why I'm posting this message is because I'd like to bring
attention to the new laws on hacking.
As everyone knows, laws on computer hacking are going tougher. There are
however, some negative consequences.
"Advanced societies" are updating computer crime laws faster than the
rest of the world. This means that new generations of these more
"advanced societies" will have no clue about how remote computer attacks
are carried out. Future generations of security "experts" will be among
the most ignorant in the history of computer security.
New generations of teenagers will be scared of doing online exploration.
I'm not talking about damaging other companies' computer systems. I'm
talking about accessing them illegally *without* revealing private
information to the public or harming any data that has been accessed. To
me, there is a big difference between these two types of attacks but I
don't think that judges feel the same way. Furthermore, I don't even
think that judges understand the difference.
Now, I'm not saying that I support accessing computer systems illegally.
All I'm saying is that by implementing very strict laws on "hacking", we
will create a generation of ignorant security professionals. I think to
myself, how the hell will these "more advanced societies" protect
themselves against cyber attacks in the future?
These new tougher computer laws will, in my opinion, have a tremendous
negative impact in the defense of these "advanced societies". It almost
feels to me like we're destroying ourselves.
I know what you're thinking. You can learn about security attacks by
setting up you're own controlled environment and attacking it yourself.
Well, what I say is that this approach *does* certainly make you a
better attacker, but nothing can be compared to attacking systems in
real world scenarios.
Now, I personally know many pentesters and I can say that most of them
*do* cross the line sometimes when doing online exploration in their own
free time. However, these guys would *never* harm anything or leak any
sensitive information to the public. That's because they love what they
do, and have very strong ethical values when it comes to privacy.
I would say that most pentesters are "grey hats", rather than "white
hats". In fact, I believe that the terms white and black hat are
completely artificial because we all have different sides. The human
mind is not binary, like black or white, it's something fuzzy instead,
with many layers. The terms white and black hat were, in my opinion,
created by business people to point out who the "good guys" and "bad
buys" are.
If I was the technical director of a computer security testing company I
would try to find pentesters that are not malicious, but that do cross
the line sometimes but at the same time, know when it's a good time to
stop exploring.
If you hire someone that has never broken into a system, this guy will
not be able to produce valuable reports for customers because he will
not be able to find vulnerabilities that can't be found running a
scanner.
In summary, I'd like governments of the world to rethink their strategy
when fighting computer crime. Extremism never worked and never will.
Remember, many of today's script kiddies will be the infosec
professionals of tomorrow.
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Powered by blists - more mailing lists