| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: euan_briggs at btinternet.com (Euan Briggs) Subject: Security Industry Under Scrutiny: Part Two -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I would just like to remind everyone, before you drag this thread on any longer, that I did NOT post that message. The message was posted by someone to try and embarass me etc. and does not represent my views in any way. FYI, genuine posts from me have my pgp signature, and always come from euan_briggs@...nternet.com. See the attached pgp key. I really wanted to avoid getting into a discussion over that daft prank email, but really sockz, you have turned it into a personal attack. I would just like to say, that I know perfectly well what a blackhat is, I know perfectly well how blackhats operate, and I know perfectly well what they are capable of. I have years of experience that you can't read in a book. So just out of interest, before you start getting into personal attacks like this, would you mind telling everyone what your credentials are, that make you think you are in any position to comment on the blackhat scene? Actually don't bother, I have better things to do with my time. Euan aka stripey - ----- Original Message ----- From: "sockz loves you" <sockz@...il.com> To: <full-disclosure@...ts.netsys.com> Cc: <bugtraq@...urityfocus.com>; <vuln-dev@...urityfocus.com>; <vulnwatch@...nwatch.org> Sent: Monday, November 18, 2002 12:11 AM Subject: [Full-Disclosure] Security Industry Under Scrutiny: Part Two > hi full-disclosure, > > I was going to write to you today about one of the projects I've > been working on, but it's not complete yet, so I'll save it for > another day. It seems that a lot of people are talking about this > "UK hacker" a 36yo guy by the name of so1o. I won't, cuz its boring > already. The other piece of interesting news that I AM going to > discuss though, is the prospect of new or changed legislation > affecting internet security and cybercrime in general. > > A couple days ago wired ran an article > [ http://wired.com/news/politics/0,1283,56351,00.html ] > about changes to legislation in the US, regarding hacking and > terrorism... the Cyber Security Research and Development Act. What > does this act do? Well it aims to increase funding for the > security industry in the US, as a means of combating > cyberterrorism and cybercrime. > > To quote Michael Grebb in his article: > > -------------------------------------------------------------------- > ------------ "the bill's backers said cybersecurity funding is now > inadequate, especially if terrorists were to time cyberattacks with > physical attacks similar to those carried out on Sept. 11, 2001. > The result could cripple vital response services, most of which > rely on computer networks." > -------------------------------------------------------------------- > ------------ > > This bill aims to increase protection measures against > cyberterrorists by increasing funding for the security industry. > Politicians say it will do this through increasing funding to > colleges and schools around the nation in the hope that they can > reduce the 'moron' side of the moron to expert ratio of computer > security graduates. > > How amusing that more than a year after the catastrophic events of > the WTC and Pentagon attacks do we NOW find bills being put into > place to combat terrorism. Now it would seem that you don't have to > work for a terrorist organisation to be targeted by this bill. It > seems that today if you hack any major corporation or any kind of > government computer (regardless of its use and the information it > holds) you transcend from being "hacker" to "terrorist". How is it > terrorism when the only fear it inspires is from the story that > the government gives the press? > > Why would the government want to create fear? Because catastrophes > are good for the economy. > > -------------------------------------------------------------------- > ------------ "'We will have a synergistic outcome with catastrophic > results,' said Rep. Brian Baird (D-Wash.), who co-sponsored the > bill." > -------------------------------------------------------------------- > ------------ > > I couldn't have said it better myself. Once you get through all > the corporate buzzword jargon here we get a sentence that reads > "The end result will be a co- operative effort towards > catastrophe." If you create more whitehats then you create more > advisories. If you create more advisories then you create more > 0-days available to script kiddies. When this happens the security > industry makes more money, but more people are at risk. > > It's like when an oil tanker bursts a leak and spills oil all over > the ocean. It's sad for the animals, sure, but all the humans > profit. The media gets money from covering the spill, scientists > get money for taking care of the animals and then they get more > funding to come up with some new technology "for next time", if > there is a fire then the ppl who put out that fire get paid money, > if there's a terrorist involved then the CIA gets money to track > them down, the list goes on. With everyone getting paid lots of > money they can afford to buy more stuff. And people buying more > stuff means a greater purchasing power for the State, which > ultimately improves the economy's power in international trade. > > The last thing this world needs is more dolts working for the > security industry because its these idiots who create the oil spill > in the first place. What we DO need is to redesign the current > system to remove vulnerability information from the eye of the > general public... to avoid a "next time" as much as possible. > Sure it makes money, but releasing more oil (advisories) into the > ocean (community) does not make for a healthy environment > (security). > > The other article I looked at was one on news.com, entitled "House > considers jailing hackers for life". > [ http://news.com.com/2100-1001-965750.html?tag=fd_top ] > What is this one all about then? Well it seems to be the > government's feeble attempt at threatening hackers who could be > labelled as terrorists. Declan McCullagh writes: > > -------------------------------------------------------------------- > ------------ "CSEA expands the ability of police to conduct > Internet or telephone eavesdropping without first obtaining a court > order, and offers Internet providers more latitude to disclose > information to police." > -------------------------------------------------------------------- > ------------ > > Australia has seen a similar thing happen with ASIO's authority in > the past year or so. In April, The Australian ran an article by > Kate Mackenzie about deals between law enforcement agencies and > ISPs. > > -------------------------------------------------------------------- > ------------ According to sources within the ISP industry, who did > not wish to be named, various law-enforcement agencies were > working directly with large ISPs to formalise the storage and > delivery of data, particularly real-time communications of > suspected individuals. > -------------------------------------------------------------------- > ------------ > > It is the government's hope that they can combat cybercrime by > increasing surveillance measures and the penalties for hacking. > THIS WILL NOT WORK. The majority of cybercrime comes in the form > of script kiddies, and employs those exploits that have been known > about for ages. The whole reason why script kiddies are attracted > to cybercrime is because of the "bad boy" label that they are > branded with by their peers. So increasing the penalty for > 'hacking' will only serve to increase the fame of script kiddies > among their peers, causing more people to jump on the moron wagon > in their course of seeking popularity. > > "I could get jailed for life" will become a trendy pickup line in > high schools across the nation. > > If you want to combat cybercrime then you have to remove the > information flows to script kiddies. Since it takes no great > genius to be a script kiddy, this needs to be achieved by using > non-disclosure when it comes to the public at large. > > IT IS AN IDIOT'S LOGIC TO WAIT UNTIL THE SCRIPT KIDDY HAS DONE THE > DAMAGE BEFORE WE DO ANYTHING ABOUT IT. > > Anyone who tells you otherwise is out for the profit. > > -------------------------------------------------------------------- > ------------ So to summarise: > > * The government is moving to increase funding for the security > industry to > increase the whitehat population. > * The government thinks it can combat the associated increase in > script kiddies > (from the increase in advisories, resulting from the increase in > whitehats) by > increasing penalties for hacking. > * If we're going to stop script kiddies we need to eliminate them > from the > advisory system. > * Removing script kiddies from the security industry means > employing non- > disclosure mechanisms. > * Waiting for the damage to be done before we do anything about it > is poor > security sense. > > > I leave you now with a quote from .fred: > > "If your hat is black, stay black and keep your mouth shut. If your > hat is white put it proudly on your head, and jump out a 6th story > window grabbing a hold of as many skript kiddies as you fall." > > > <3 sockz > -- > _______________________________________________ > Sign-up for your own FREE Personalized E-mail at Mail.com > http://www.mail.com/?sr=signup > > _______________________________________________ > Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPdjhcUP0lBKBG8xoEQLDGACdF3VS1ZZrRAfCRr1T4/htIClhpz4An1Jg HH575J2EDmvoAdiSb4lFUeA0 =vv47 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: Euan Briggs.asc Type: application/octet-stream Size: 1723 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021118/b0b9c795/EuanBriggs.obj
Powered by blists - more mailing lists