Return-Path: <sentto-279987-4442-1013095426-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 07 Feb 2002 07:27:08 -0800 (PST) Received: (qmail 12819 invoked by uid 510); 7 Feb 2002 15:24:09 -0000 Received: from n7.groups.yahoo.com (216.115.96.57) by all.net with SMTP; 7 Feb 2002 15:24:09 -0000 X-eGroups-Return: sentto-279987-4442-1013095426-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.191] by n7.groups.yahoo.com with NNFMP; 07 Feb 2002 15:23:46 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_2); 7 Feb 2002 15:23:46 -0000 Received: (qmail 35149 invoked from network); 7 Feb 2002 15:23:45 -0000 Received: from unknown (216.115.97.171) by m5.grp.snv.yahoo.com with QMQP; 7 Feb 2002 15:23:45 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta3.grp.snv.yahoo.com with SMTP; 7 Feb 2002 15:23:45 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g17FPTp25331 for iwar@onelist.com; Thu, 7 Feb 2002 07:25:29 -0800 Message-Id: <200202071525.g17FPTp25331@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 7 Feb 2002 07:25:28 -0800 (PST) Subject: [iwar] [fc:Hackers.Get.Green.Light] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Hackers Get Green Light By Peter Stephenson, Infosecuritynews.com, 2/6/02 <a href="http://www.infosecnews.com/opinion/2002/02/06_01.htm">http://www.infosecnews.com/opinion/2002/02/06_01.htm> There have been endless debates over whether or not to hire hackers. The arguments have ranged from "It's OK as long as they're not convicted criminals," to "They're the ones we need to protect ourselves from, so let's learn from them," and "Never, never, never!" Well, if we are to believe companies such as WorldCom, the question has been answered, the debate settled. In a copyright story on ZDNet last December, Robert Lemos tells the story of the 'curious hacker' who attacked WorldCom and earned their appreciation and encouragement. What, in Heaven's name, are these people thinking? This 'Curious Hacker,' described by Lemos as a "sometimes consultant and security researcher," poked around in the WorldCom network over a two-month period before he decided that it would be a good idea to tell WorldCom what he was doing. In addition to WorldCom, the Curious Hacker has broken into Microsoft, Excite@Home and Yahoo. I've been doing intrusion investigations and intrusion testing for many years. Call me uninformed, but I always thought that penetrating a private system without permission was a violation of a fistful of laws, both federal and local. I guess I've been wasting my time and my clients' time getting appropriate contracts signed. If this is the 'new order' of things, I can just turn on my tools and let 'er rip. Perhaps my targets, like WorldCom, will be (quoting a WorldCom spokesperson) "definitely appreciative." However, somehow I doubt that. Folks, this is a very bad thing for a lot of reasons. First, by encouraging this activity WorldCom has issued an open invitation to the computer underground that says, "Hack me - just be sure that some day you tell me what you did." Billion Dollar Bill recently announced that Microsoft is now going to put security ahead of everything in its products. No more buggy IIS. No siree… MS stuff is going to be TIGHT! Good thing, too. MS is a prime target for hackers, and Microsoft products comprise an entire hacking specialty in themselves. I wonder if MS is "definitely appreciative" of the Curious Hacker's activities on their network. And how about Excite@Home? Now there's a company that has had more than its share of woes. I'll bet they are not "definitely appreciative" of the Curious Hacker. Enough, already! WorldCom has done the entire Internet business community a grave disservice: first, by not prosecuting this turkey to the absolute limits of the law and then not whacking him with a whopping lawsuit, and second, by telling the news media (and, thus the whole world) just how cool they think this idiot is. And who is right there fighting on the side of the Curious Hacker? The director of research and development for a major security consulting company that proudly hires black-hats. His take on this is that "… poking around the Internet in the way [the Curious Hacker] does aids companies' security and shouldn't be considered illegal." I don't know about you, but that's not a company I am keen to hire. (To be fair, the company I work for actually competes with this particular consultant, which is why their name is not mentioned here.) Our profession is built on integrity perhaps more than skill. It has long been an axiom of mine that you can buy technology anywhere for a price. Integrity is a far more precious commodity. We need to step back and have an introspective look at where we are going when we take WorldCom's public approach. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Do you need to encrypt all your online transactions? Find the perfect solution in this FREE Guide from VeriSign. http://us.click.yahoo.com/jWSNbC/UdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST