Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Of course he is held in wide-disregard. Just look at the ''s around 'good guys'
Bash, Korn or Csh?
Inquiring minds want to know.
Thereby driving up page hits and ad views.
I think I'm on to something here.
best patent that idea...
ooh..trolling = profit
aww..cmon, someone chime in with the profit model, and something about soviet russia, this wont be a good post w/o it...
*shrug*
High disregard, huh?
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?
Frankly I find him a breath of fresh air.
3. PROFIT!
Happy now? I feel sooooo dirty. You forgot the gratuitous cluster reference I'm all over it like a fat kid on a smartie.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
These Uber-FP /. "hackers" are going to find their IPs banned too. So that may be another reason for these subscriber messages.
/. should hire some white-hat hackers to destroy the FP trolls?
Maybe
Why slashdot? Why not?
"Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. " Blablabla, don't think you are the best 'cause you are a security guy. Everything can be exploited!
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
"Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers " keep in mind things have changed a lot since he devoloped his 'code' sends out a "dot dot dot - dash dash dash - dot dot dot - i'm being hacked!!! " the first bit was SOS in morese code if you didn't know Steve
I think not.
"What about those [hackers] who've been sitting under the heat lamps?"
Those computer geeks will not be cold and clammy, they'll just be clammy.
Why slashdot? Why not?
he is an expert in attack/penetration, and he wants to help us avoid viruses -- just checking
Here is the text of a recent interview with the
reclusive security wonk from Crain's New York Business.
On the job with...
Gary Morse
Founder and CEO
Razorpoint Security
Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.
The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.
Crainsny.com: Describe what Razorpoint does.
Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.
Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.
Crainsny.com: How do you convince executives that their networks are vulnerable?
Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.
Crainsny.com: What are the most common holes you find in computer systems?
Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.
Crainsny.com: What do companies need to do to make their systems secure?
Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.
Crainsny.com: What changes did you see after 9/11?
Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.
Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?
Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w
I have no pants and I must scream
In soviet russia, profit makes YOU!
/. trolling methods into one ubertroll?
Have YOU ever combined two of the most popular
Wouldn't it be funny if I hacked the video interview and broadcast UHF instead?
he is an expert in attack/penetration testing :-D
tat tat ta
Um...was he ever in jail?
I hope he didn't run out of books due to the /. before I got my order in :).
I don't own an X-Box, but from the samples it looks like some very interesting stuff.
I had the same feeling, it was a particular feeling in the back of my throat; of course I didn't know why I felt turned off by the article.
I guess it seems kind of hokey. The guys who KNOW security tend to not be so outward about it.
Black holes are where the Matrix raised SIGFPE
The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."
SuPz.orG
confused philosopher = donkey
donkey = six letter word
six letter word = hacker
therefore confused philosopher is a hacker.
Why slashdot? Why not?
I guess the worst part was that he was hosting a chat. Talk about a grab for attention.
::shrugs::
I mean, on the one hand it's cool to try to educate people on things concerning security. But he doesn't need to pimp himself with the credentials. People who read USAToday will pretty much believe anyone tells them... forwarded emails, you know ^_^
Smells like he's fishin' for gullable clients. Then again, maybe he's just bored.
Black holes are where the Matrix raised SIGFPE
Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email moderation@slashdot.org with your MD5'd IPID and SubnetID, which are "c1" and "e3".
Don't you hate it when you respond to the wrong fucking article lol. I wish I had mozilla on this work machine, not having tabbed browsing is complicated :P.
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
" These Uber-FP /. "hackers" are going to find their IPs banned too. So that may be another reason for these subscriber messages."
I want you to think about this more carefully.
1-Slashdot is built to take it's own effect.
2-Non accounts already start at zero. which BTW.
3-Why are moderators wasting their points on posts that default to unseen?
4-Isn't banning a group of tech minded individuals similiar in "degree of failure" to what the MPAA and RIAA is attempting? (If the amount of bravo displayed everytime the subject comes up is any indication).
5-We can't even get the problems that need solving, solved. So what makes you think they'll come up with a solution to this problem?
I started reading the article, and the more I read, the more confused I got. Then it finally hit me. This guy has never worked with java as most of us do. Writing HelloWorld java programs for each release of JDK doesn't count as any java related experience. "Property files multiply like rabbits in a large, Java-based Web application," after reading this I realized he hasn't used Java web app (JSP/Servlet) in his life. After reading the articel I have realized that the author unknowningly brings forth the point, which says that Java allows you maximum flexibility and access to two different products, it encourages competition thus increasing the quality of the packages we use, and MICORSOFT LOCKS YOU INTO THEIR OWN PLATFORM, WHICH PROBABLY WORKS BUT IT IS NOT GUARENTEED TO BE THE BEST SOLUTION OR IMPLEMENTATION OUT THERE.
It's cracker dammit...
.: Max Romantschuk
Maybe the title should instead be "White Hat Hacker Breaks Wind"
...can go by any damn criteria they choose. It's as simple as that. Don't like it? Then start your own damn business. When YOU write the paychecks, then you can spout your indignation to your content. Until then, your opinion means squat.
Done.
You have four moderator points left.
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
Look forward to script kiddies among others trying to hack the broadcast to gain noteriety.
I think this will be interesting to watch too.
in girum imus nocte et consumimur igni
Translation: Morse's company does not hire people who know best how to defend against the type of attackers Morse's company is paid to defend against.
What a dipshit.
So is there a similar type of thing going on with hackers as there is with general employment?
White Hat Hackers
Blue Hat Hackers
Labor Union Hat Hackers
Slave Labor Hat Hackers?
(Refering to the entire "white collar" idea...)
I got nothin'.
The word is "cracker" not "hacker" I'm neither but at least I know the difference. Thanks a bunch.
"All but the stupidest of employers care vastly more about experience than education."
Most care about both. However you can gain those skills without breaking the law. Or were you under the impression that one has to do illegal things to gain security knowledge? But then that's the difference between ill gains gotten easily, vs gains gotten the hard way.
Couldnt have said it better myself. I agree completely. All but the hackers having morals part. A true hacker will work for moutain dew and free porn.
Regardless. I agree and hope someone DDOSes his website.
Mod the original up. you know you want to.
thx
"How do you get good at knowing you're being tracked, if you've never been tracked? You don't."
By your reasoning, only a murderer could catch another murderer.
All but the stupidest of employers care vastly more about experience than education.
So if I had spent 12 years of my time coding in my house (but doing it badly since in reality, no one ever taught me anything), you would hire me over an MIT grad? Hey, I'm experienced!
You lost this war a long time ago, the Press won. You can never beat the Press.
I was under the impression that @stake was formed by former / current L0pht Heavy Industries members? . While they might know their stuff, are they the people you want "protecting" your network? Shrug. Just a thought
You must not have been here on April 1st. The Slashdot editors get pretty wild for April Fool's Day. Now that's what I call a party.
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
Your bleeding heart liberal mentality is glaringly obvious. People like this have broken the trust that they probably expected before they broke it. The problem is now people expect 2nd, 3rd chances as some sort of entitlement. Only in America does this happen. It's like "yeah I broke the trust, but if you want me to not do it again, you better trust me." Sorry, there has to be some sort of accountability, some sort of understanding that if you fuck up a good thing (the intial trust of being a non criminal is), that things will get harder. Trust broken must then be earned, not simply demanded like a petulant child. Computer security is not the only job path in the world, people like this could become programmers, etc.
That's the problem when spoiled people never decide to own up to their actions.
Then again, why should anyone hire someone they don't trust? Just to please the liberals who typically care more for criminals than victims?
The 2 most overrated fields in IT are definatly
1) Security
2) Video Games
Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).
Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.
If you really don't know, then your above opinion automatically becomes void.
Hackers spend their time learning how to break security, not how to make something secure.
Certainly hacker wanta be ./script kiddies are the easiest of all to social engineer, you just have to make them think about gettin' your latest and greatest hack. They come a droowlin' to the bait. Hide it in a dll, what the hell, trick out ptsnoop, if he's ppp custom it for his win 2000 swiss cheese box and watch the fun.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
--Matthew
Eerily this Gary Morse guy reminds me of John Vranesevich.
IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.
The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.
Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
I was investigating anonymous proxy servers that were abusing our system, and was setting my browser to random proxies to see how they were working (most of them did pretty well). I forgot to change back off of the proxies to come to /. , and got a big message about how I couldn't access from there, because of abuses.. Perfectly reasonable, since I found them through abuses on my network. :)
:)
So, consider the timeout a good thing. At least you haven't been banned by the gods.
Serious? Seriousness is well above my pay grade.
If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.
Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
You obviously dont have fucking clue what your talking about....so lets lay down a few facts first that arnt biased by your knowledge/experience (or lack there of) or my urge to find you and slap you first before we draw any conclusions.
Security is not an overrated field...its a field worth hundrends of billons of dollars a year....no its not overrated...when you have a field were consultants can bill upwards of 1000 dollars an hour...no its not overrated to have a community behind it. Security is a field in wich hundreds of thousands of people in North America alone work in proffesionally....all day every day...not just doing codeing, but doing research, and research that has changed many aspects of the internet over the past 10 years.
Real security that is done by large firms, is not code dependant, in fact, codeing only makes upa bout 10% of the time a proffesional consultant spends on average working a contract.The security we talk about here, and the security wich is regarded when people talk about the security community is very real and very importnat, and involves very little coding. its not a code monkey job. And it requires much more skill, and experience to do than just a random coder can.
Security is not about thwarting scumbag employees or script kiddys, these people use known exploits that a patch gets coded for and then a few millons systems get patched.
The security that we are talking about here involves the use of bugs, explits and holes in system design that are not known and not readily visible. The people who find these, and are smart enough to find these are usally black hat hackers, they are the people the security community is after, since you obviously dont know about this, i'l have to define it for you like i have to with everyone who donst know what goes on past their desktop
A black hat hacker is being paid by one person to get information from another hacker. Fourtune 500 companies do this often. They send hackers after their most threatining competion, in an effort to get design specfications, or other documents that could give them the edge over the company. Other black hat hackers are running billon dollar credit card or other line of credit scams, they go after major companies accounts recivables, they take the credit information, and exploit those credit lines for as much as they are worth...then take the money and run.
These hackers use techniques that they devlop, and the rest of the world dosnt know about, so proffesionals (ie - security people that you were just calling "code monkies") have to constantly look for possible ways that software could, ina hypathetical scenario, be broken. And then generalise these breaks into a more general type of attack (ie buffer overflow attacks) and then design a general methodoligy to countery them, this is what gets handed off to indivudal coders to code solutions for individula applications. The actual security community doesnt do a whole lot fo coding. Yet by your definition, we are all code monkeys.
Is it boring? Not generally, but that depends who you talk to. Is it a Coding Job? is it something that is done by random CS students or code monekys? No. It isnt. Unfortunalty before making your post you didnt bother to actually consult the facts. Perhaps if you were able to understand what goes on in the security industry you would understand why you are so wrong.
(subject body here)
I'm smarter than the average bear.
It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.
I imagine that is why they asked the question.
~cHrisIt's also why so many unrelated, futile, and in some cases counterproductive "security" measures were adopted in the aftermath of the attack.
Paul "Say no to feeping creaturism"
How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
Utter garbage.
That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.
There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.
Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.
Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.
Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.
All but the stupidest of employers care vastly more about experience than education.
Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.
Serious crackers are *not* suitable canidates for security experts.
The idea of discriminating due to previous hat color
is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
exploited entire countries. I never went out of my
way for publicity, but some of my exploits were
publicized. I was quoted in a few places. This was
all when I was younger, and not so wise.
I changed.
There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
game never dies, but you have to face reality. I work for a very successful company doing security.
I have taken their policy and general operation
and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.
This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.
At least wait until the trial is over and then decide if one is worthy of employment.
For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.
It's a nice website, but I haven't read anything on it that lead me to think they have more than just a basic understanding of network security.
razor point security whitepapers whitepapers
I dont see any bugtraq posts either...
Microsoft aggravates my tourettes syndrome.
From USA Today: Chat with Gary about keeping your computer safe from hacking and viruses.
Yeah, I'm sure Manhattan's uber-elite white hat hacker wants to spend his time answering questions like "I can't find my email. Did a hacker take it, or does my computer just hate me?"
$8.95/mo web hosting
sequent?
Or a black hat one, for that mattter?
Never heard of the guy! Is he all that big?
-- I am. Therefore, I think!
-----------
Together, we will drive the rats from the tundra.
You underestimate the power of the dark side.
My beliefs do not require that you agree with them.
:-P
19:51 9/5/2546
... of course i'm going to use it, and some more. YOU should go to prison
...
...
...
... so do your programming.
...
...
...
... ...
....
TOPIC: Evil computer-user
hey! no black hat, no white hat, eh? invers of no sunshine no shadow.
just because i found out you programmed something stupid/cheap/sloppy and are acctually earning money from it,
doesn't make me evil
for making a cheap product and actually charging money for it.
come on 99.9% of the internet is email. finish. MEGA-REDUNDANT.
why don't they just make computers and a network for that.
should be easy to keep that secure
computers: it's made for programming. people did alot "not-correct" thru history.
it's still funny you can go to jail for sending these few electrons thru her and not there
now if i send these electrons thru here and not there, and you/person would vanish,
now THAT would be serious.
like going to prison for making a short. maybe the should go arrest
those particle-beam-accelerator-scientists...
how can you ACTUALLY call sending-electron-around WORKING?
how can you actually get paid to make sound-waves, e.g TALK?
anyways, it's not like english and our character-set is universal
as far as i know computers are made for programming
but HELP!, what ARE they encrypting? the big companies? i know, so
the NYSE-cops don't know they're doing an insider-job again with the next merger
see there are evil persons everywhere, some just don't get catched
why don't we call a good programmer a white-hat and a sloppy programmer a black-hat?
the WHOLE sec. issue is because they are LAZY, they are trying to CRAM everything into
one protocol(IP/TCP) and network (INTERNET).
the big companies which do work in all countries around should get their own. i mean it.
it's not expensive. lay some cables, security is complete.
it stays there, like one of their super huge skycrappers. can't be more expensive
let the poor-normal-people have their internet. go get your own.
i can't fly (nature didn't make us to fly), so i build a plane.
i hacked the univers. is it going to sue me (it's a safe plane!)? NO!
NO for security, serious, WHY? Nobody knows anything of importance anyway.
and if you're one of those who think just because you know something nowbody else knows, which
makes you have a meaning in life, well, i can smell them from a mile away (and it's probably
some bogus information like "i know who your wife sleept with", wah *yawn*).
the only reason why you have to hide stuff, is like werner heisenberg said "Die Verantwortung des Forschers",
meaning the scientist is responsible for his findings. some dummy (say military) would just get the plan and
blow up the whole planet.
science is funny: you can actually make stuff work, without understanding why it works.
but if i hack your bank-account an make you a billion poorer, who cares:
first: you got another 5 billion.
second: i can't spend it anywhere else but here, this planet.
maybe the huge-company guys just lament to the PUBLIC bout security. In realty they
meet at the polo-club, eat lunch together and have a good laugh about the "security-issue".
if this is true they invented 'security issues" because they are suddenly afraid the general public
would start discusssing stuff seriously and would find out that they are actualy doing nothing
the internet should stay OPEN! if you want to keep a secret don't tell, don't put it on a
computer that's on a open network.
MAEH, sometimes i feel sooo dumb
You guys are being insensitive to the hats of color.
Face the music boys and girls. Hacker and Cracker are indeed synonyms now. We lost that battle. Time to move on.
Even CowboyNeal knows that or he wouldn't have used "Hacker".
A number of posters have stated that security is a boring biz. They could not be more wrong. I've been in this industry for 2 years, having moved over from networking for 3 years. That IS boring. Managing networks is mindless. Managing any router and switch is mindless at best and rarely challenging.
Security IS a process, and because of that process, there are always new and exciting things to work with. I like working with people who are a hell of a lot smarter than I am. Some of the guys I work with are smarter than a tree full of owls and therefore I am constantly learning.
I happen to manage firewalls for a living now, as well as handle DoS attacks and unauthorized access. Great job with no boundaries outside my willingness to learn whatever it takes to move up to the next level.
People that say security is boring have a) never done it and want to and/or b) work in some lame help dick, er-- helpdesk position and are inflating their own self-importance beyond that of a phone jockey.
Nope, the use of free software is a practical security consideration on the desktop. Like it's "server" counterparts, there's a rational user model, greater choice, higher quality, easier upkeep and lower cost. These lead to greater security through extra barriers, diversity, fewer bugs and more time and money spent on things that matter. The ideology makes it this way but a consultant does not have to mention that in a short answer such as the one above. Anone who would ignore free software as an option on the desktop is blinding themselves for one reason or another.
I may not be very bright, but I'm not blind and I use free software. This message was posted from a currently stable Debian box sitting behind a Debian packet filtering firewall. To the best of my knowledge, I've never been rooted and the strange things that used to happen to my Windoze computers don't happen anymore. This proves that free software, such as Debian and Red Hat, is not difficult to install or keep up.
It's only a matter of time before places like Key Largo build up statistics that proving that free softare is more secure than it's comerical counterparts.
Friends don't help friends install M$ junk.
The white hackers are good?! Just another attempt to bring down the black man.
+1 funny
... confortable)
-2 stupid
-1 misspelling (e.g. obssession
total: -2
it all sounds pretty stupid to me. do people actually refer to themselves in this way??
I'm sick of this racist bullshit. Why do we have to differentiate ourselves by color? We left that notion behind back in the 60's.
Black Hat = Afro Hat
Red Hat = Native American Hat
White Hat = Cracker-Hat
Yes, it's I, the Flackboy. Glad to see that my piece generated so much dialogue. In the order of fairness, I should mention that I simply submitted the story to the editors - there's no conspiracy behind it's appearance, so go easy on the Slashdot staff, they made an editorial decision based on newsworthiness. Thanks to all for the compliments and criticisms.
Please never mod up discussions of hacker vs. cracker. Honestly, the dead horse is long since beaten into dust.
Hacker is not the word it once was. Weep for it or move on in life, but please don't discuss it here.
2. d00d, free kevin.
3. d00d, W1Nd0z3 suX0rz.
Manipulate the moderator system! Mod someone as "overrated" today.
...news articles...reciting fact...
hahahahahahahaha
If their terminal uses red text, they are definately evil black hats... but if it is green or blue then they are on the side of good and justice and are white hats.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Crackers, not Hackers. Stop ruining genuine people's hobbies' good name.
What do you mean, the digital equivalent of 9/11? The physical one wasn't enough? People were given extra time, or released from obligation, for their tax returns. Computer systems for many, if not all of the companies housed in WTC were crippled, as well as many things hosted there. Phone traffic in NYC was congested and crippled. Economic shock was incurred in part due to the human loss (which was actually small, just concentrated) and corporate disruption, but also from IS disruption of financial systems. You may not have heard, but redundancy is part of security. So, does it tie in? Yes.
Sure I'm paranoid, but am I paranoid enough?
Comment removed based on user account deletion
I would not recomend any such sofware, free or not. I trust the people at Debian to filter out backdoors and spyware. That's something you can do when with free software. I will trust Sun and other reputable comercial software if forced to. I will never trust Microsoft which has backdoord multiple programs, written their EULAs so that they can continue doing this and don't alow 3rd party compilation and verification of their source code for any reason.
A memory is a nice thing to have. You might consider using yours when chosing an OS to "touch any computer other than a goat box."
Friends don't help friends install M$ junk.
I don't care if your hat is neon green.
A hacker is a hacker, and not worthy of any praise whatsoever.
Whether they break in to a computer for the fun of it, to put up a web site that says 'omg i r teh l33t', or to forcibly patch an exploit that's been common knowledge for ten years, they're still in the wrong.
Of course, this story is just one big orgy of semantics.
Is this guy really a 'hacker'? I doubt he would be able to keep his day job. Oh, wait, hacker! Not cracker!
So what's a black hat hacker than? Someone who writes bulk mailing software? Someone who tries to slip DRM into the Linux kernel? (Nooo! Not Linus!)
Bah.
Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold.
Exactly how the hell would he know? If you get caught, you weren't a terribly good hacker to begin with. If you don't get caught, then Morse wouldn't know dick one way or another what it is that you've done in the past, except for those things you decide to put on your resume.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Oh, 9/11 was a _metaphor_. I see. So the hundreds of people killed were just...symbolic? Maybe the crushing collapse of two buildings was an artistic expression of the collapse of capitalism? Brilliant.
Nonsense! The fact that software is free makes a huge difference.
Free software is further ahead than comercial code and there is little chance of comercial code catching up. What kind of reviews do you think M$ Money got in Microsoft's big security hug. How about any of the other code that Microsoft has bought and rebranded? Do you think any of it was written in a way that even aproaches the Unix standard that free software is built on? Do you think people using pirated M$ visual C in Indian sweat shops are going to do any better? The very fact that a pudknocker like me is having this conversation shows the power of free software. We are more than eyeballs. We start from a better postition we care and we get good advice. People making comercial code start with nothing and bang out code someone else, generally clueless, tells them to write.
The massive imbalence shows up in patching. When flaws are discovered, free software is much faster at fixing the problem. The people who cared about the software to begin and dozens of helpers swing into action and a fix is out in a few hours. In the comercial software world, you are lucky if the person who wrote the code even works there. If the poor devil does not get canned, he will have to refresh his memory because the company will have kept him busy with other stuff he may or may not care about. The result is that it takes the company days, weeks months or never to fix the problem.
This all adds up. The comercial software writer is handicapped in the software he starts with and is outmaned and poorly motivated. This is why free software has such good uptimes and does so much more with your hardware. My silly little P90 laptop with 24 MB of RAM and 1 MB of video RAM has multiple desktops, ethernet, 802.11 and a 56.6k modem and supports a 5 Gig hard drive the bios never invisioned. Windoze won't even run on it anymore and the version it came with would never see the networking equipment, the hard drive or give me more than one desktop or accept x-forwarding. Sure, it can be broken into, but it takes more effort and skill than the average script kiddie's got.
Friends don't help friends install M$ junk.
... and i know how my lan is wired. what does this have to do with security? never once did he mention anything about on-wire data, his penetration tests apparently involve nodes only.
my money is on him not being able to penetrate a wet paper bag.
paul
This is not true. You are absolutely free to examine and reverse engineer software products in order to find security holes. What the DMCA prohibits is traficking in circumvention devices. Very few security advisories have anything to do with copy protection. While I think the DMCA is a bad law, you are exaggerating its scope. If I'm wrong, please tell me what "in-depth" activities that really should be legal have been outlawed as "computer terrorism".
Your point would be valid, in an alternate reality where this "white hat hacker (cough)" did not have his chat advertised on Slashdot.
But, alas, it was. And now, instead of 750,000 interested Slashdotters (as you claim), there are 750,000 * (boredom ratio) Slashdotters who will be planning some sort of cyber attack on the chat in question in order to show that they have stronger l33t fu than this sad "security guru" who, in his infinite wisdom, just bought a karma pass on the ride of hideous evil madness that is geek one-upedness.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator