Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
I had the same feeling, it was a particular feeling in the back of my throat; of course I didn't know why I felt turned off by the article.
I guess it seems kind of hokey. The guys who KNOW security tend to not be so outward about it.
Black holes are where the Matrix raised SIGFPE
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
His reasoning is probably the same as why you need a criminal background check to do almost any real-world security work (ie: non-computer related).
Want to be a security guard? Nope, sorry, not if you have a B&E record. Want to be a police officer? Couple of murder convictions? I don't think so. And so on.
The rest of society has already figured this out. Ex-criminals can be useful for information, but it's not very often that they get put into positions of *trust*. I sure wouldn't want someone who's already proven their disregard for security controls designing them.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
A B&E record only lasts seven years (IIRC) so it seems that society has actually figured out that people CAN turn around. People CAN grow up. Amazing eh?
Furthermore, the hacker who grew up retains his knowledge. The hacker who has never broken into a Real System cause mommy said she'd take away his computer privileges simply cannot know all the details.
How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
All but the stupidest of employers care vastly more about experience than education.
"[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
A B&E record only lasts seven years (IIRC) so it seems that society has actually figured out that people CAN turn around. People CAN grow up. Amazing eh?
Yup, some people CAN change. Fact is, most crimes are commited by repeat offenders. Most people DON'T change, and have fun applying for the CIA job with your supposedly-erased-due-to-it-being-7-years-old criminal record.
The hacker who has never broken into a Real System cause mommy said she'd take away his computer privileges simply cannot know all the details.
How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
Now come on, grow up. You want to break into a system? Set one up. Crack it. Next, get a friend to set one up, not tell you what he did, then crack it. And so on. You want to elude detection? Install Snort, and try to elude it. Etc.
You don't think Locksmiths are trained for their job by breaking into unsuspecting homeowners, do you? Or alarm companies enhance their products by comitting B&Es?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
The 2 most overrated fields in IT are definatly
1) Security
2) Video Games
Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).
Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Eerily this Gary Morse guy reminds me of John Vranesevich.
Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well.
Then you have low expectations of your systems. I expect my web server to run on most available platforms, same for my database server, and I will try my best to make my middle layer be flexible as well. I do not expect my own solutions to restrict me to a single path dictated by a single corporation. If you choose to predominantly use MS-specific solutions, you are doing just that.
Now, I am not saying that's what you do, I am just commenting on the point that it's OK to be locked in. It's not "OK", unless it's by choice or a very good set of reasons.
Car comparison is not really valid. If you drive a Ford and start liking a new Toyota model, you can trade it in the next day; don't try that with any corporate systems, especially if you are locked in to a single vendor.
It's probably an inappropriate question only because it is too specific, imho. One of the first things I'd probably ask a guy or girl who is known for his experience and expertise in security would definitely be something along the lines of:
"Given the increasing interest of the business world about OSS, what are, in your opinion as a security expert, the advantages if any and disadvantages that you know about of OSS when compared to closed source software?"
One might argue that this is too generic as a question, or that the question "begs for a particular sort of answer". I would encourage answers that are as objective as possible though.
--
My other computer runs FreeBSD too.
If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.
Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.
I imagine that is why they asked the question.
~cHrisYou are undoubtedly right that even most seasoned hackers would probabloy not be experienced enough to secure a network. However, Morse's business model seems to be based on first penetrating a network, in order to secure the business of a client by demonstrating its vulnerability (a la Sneakers, an excellent movie). And then, of course, securing a network. If I had to guess, Morse probably has entirely different teams for each of these processes. Now, you could argue that black hat hackers can't be trusted, and I wouldn't put up a fight. But, purely from a skill set point of view, black hat hackers would probably most qualified for the "penetrate" portion of a job. regards, qortra