[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021118051133.32645.qmail@email.com>
From: sockz at email.com (sockz loves you)
Subject: Security Industry Under Scrutiny: Part Two
hi full-disclosure,
I was going to write to you today about one of the projects I've been working
on, but it's not complete yet, so I'll save it for another day. It seems that a
lot of people are talking about this "UK hacker" a 36yo guy by the name of so1o.
I won't, cuz its boring already. The other piece of interesting news that I AM
going to discuss though, is the prospect of new or changed legislation affecting
internet security and cybercrime in general.
A couple days ago wired ran an article
[ http://wired.com/news/politics/0,1283,56351,00.html ]
about changes to legislation in the US, regarding hacking and terrorism... the
Cyber Security Research and Development Act. What does this act do? Well it
aims to increase funding for the security industry in the US, as a means of
combating cyberterrorism and cybercrime.
To quote Michael Grebb in his article:
--------------------------------------------------------------------------------
"the bill's backers said cybersecurity funding is now inadequate, especially if
terrorists were to time cyberattacks with physical attacks similar to those
carried out on Sept. 11, 2001. The result could cripple vital response services,
most of which rely on computer networks."
--------------------------------------------------------------------------------
This bill aims to increase protection measures against cyberterrorists by
increasing funding for the security industry. Politicians say it will do this
through increasing funding to colleges and schools around the nation in the hope
that they can reduce the 'moron' side of the moron to expert ratio of computer
security graduates.
How amusing that more than a year after the catastrophic events of the WTC and
Pentagon attacks do we NOW find bills being put into place to combat terrorism.
Now it would seem that you don't have to work for a terrorist organisation to be
targeted by this bill. It seems that today if you hack any major corporation
or any kind of government computer (regardless of its use and the information it
holds) you transcend from being "hacker" to "terrorist". How is it terrorism
when the only fear it inspires is from the story that the government gives the
press?
Why would the government want to create fear? Because catastrophes are good for
the economy.
--------------------------------------------------------------------------------
"'We will have a synergistic outcome with catastrophic results,' said Rep. Brian
Baird (D-Wash.), who co-sponsored the bill."
--------------------------------------------------------------------------------
I couldn't have said it better myself. Once you get through all the corporate
buzzword jargon here we get a sentence that reads "The end result will be a co-
operative effort towards catastrophe." If you create more whitehats then you
create more advisories. If you create more advisories then you create more
0-days available to script kiddies. When this happens the security industry
makes more money, but more people are at risk.
It's like when an oil tanker bursts a leak and spills oil all over the ocean.
It's sad for the animals, sure, but all the humans profit. The media gets money
from covering the spill, scientists get money for taking care of the animals and
then they get more funding to come up with some new technology "for next time",
if there is a fire then the ppl who put out that fire get paid money, if there's
a terrorist involved then the CIA gets money to track them down, the list goes
on. With everyone getting paid lots of money they can afford to buy more stuff.
And people buying more stuff means a greater purchasing power for the State,
which ultimately improves the economy's power in international trade.
The last thing this world needs is more dolts working for the security industry
because its these idiots who create the oil spill in the first place. What we
DO need is to redesign the current system to remove vulnerability information
from the eye of the general public... to avoid a "next time" as much as
possible. Sure it makes money, but releasing more oil (advisories) into the
ocean (community) does not make for a healthy environment (security).
The other article I looked at was one on news.com, entitled "House considers
jailing hackers for life".
[ http://news.com.com/2100-1001-965750.html?tag=fd_top ]
What is this one all about then? Well it seems to be the government's feeble
attempt at threatening hackers who could be labelled as terrorists. Declan
McCullagh writes:
--------------------------------------------------------------------------------
"CSEA expands the ability of police to conduct Internet or telephone
eavesdropping without first obtaining a court order, and offers Internet
providers more latitude to disclose information to police."
--------------------------------------------------------------------------------
Australia has seen a similar thing happen with ASIO's authority in the past year
or so. In April, The Australian ran an article by Kate Mackenzie about deals
between law enforcement agencies and ISPs.
--------------------------------------------------------------------------------
According to sources within the ISP industry, who did not wish to be named,
various law-enforcement agencies were working directly with large ISPs to
formalise the storage and delivery of data, particularly real-time
communications of suspected individuals.
--------------------------------------------------------------------------------
It is the government's hope that they can combat cybercrime by increasing
surveillance measures and the penalties for hacking. THIS WILL NOT WORK. The
majority of cybercrime comes in the form of script kiddies, and employs those
exploits that have been known about for ages. The whole reason why script
kiddies are attracted to cybercrime is because of the "bad boy" label that they
are branded with by their peers. So increasing the penalty for 'hacking' will
only serve to increase the fame of script kiddies among their peers, causing
more people to jump on the moron wagon in their course of seeking popularity.
"I could get jailed for life" will become a trendy pickup line in high schools
across the nation.
If you want to combat cybercrime then you have to remove the information flows
to script kiddies. Since it takes no great genius to be a script kiddy, this
needs to be achieved by using non-disclosure when it comes to the public at
large.
IT IS AN IDIOT'S LOGIC TO WAIT UNTIL THE SCRIPT KIDDY HAS DONE THE DAMAGE BEFORE
WE DO ANYTHING ABOUT IT.
Anyone who tells you otherwise is out for the profit.
--------------------------------------------------------------------------------
So to summarise:
* The government is moving to increase funding for the security industry to
increase the whitehat population.
* The government thinks it can combat the associated increase in script kiddies
(from the increase in advisories, resulting from the increase in whitehats) by
increasing penalties for hacking.
* If we're going to stop script kiddies we need to eliminate them from the
advisory system.
* Removing script kiddies from the security industry means employing non-
disclosure mechanisms.
* Waiting for the damage to be done before we do anything about it is poor
security sense.
I leave you now with a quote from .fred:
"If your hat is black, stay black and keep your mouth shut. If your hat is white
put it proudly on your head, and jump out a 6th story window grabbing a hold of
as many skript kiddies as you fall."
<3 sockz
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Powered by blists - more mailing lists