Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Bash, Korn or Csh?
Inquiring minds want to know.
Thereby driving up page hits and ad views.
I think I'm on to something here.
best patent that idea...
ooh..trolling = profit
aww..cmon, someone chime in with the profit model, and something about soviet russia, this wont be a good post w/o it...
*shrug*
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?
Frankly I find him a breath of fresh air.
That's just the thing, though, that I try to explain to my friends. When hackers hold a security person in high "disregard", it isn't that they dislike them. They really respect people the people like Morse because he gives them exactly what they want: a challenge. On the other hand, script kiddies dislike Morse because he makes sure they have to actually use intelligence to execute an attack on public networks.
Actually, I can understand this, being held in rather "high disregard" myself in some circles.
Ah, the joys of being the "Prince of Insufficient Light"
You are in a maze of twisted little posts, all alike.
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
"Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers " keep in mind things have changed a lot since he devoloped his 'code' sends out a "dot dot dot - dash dash dash - dot dot dot - i'm being hacked!!! " the first bit was SOS in morese code if you didn't know Steve
I think not.
"What about those [hackers] who've been sitting under the heat lamps?"
Those computer geeks will not be cold and clammy, they'll just be clammy.
Why slashdot? Why not?
Here is the text of a recent interview with the
reclusive security wonk from Crain's New York Business.
On the job with...
Gary Morse
Founder and CEO
Razorpoint Security
Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.
The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.
Crainsny.com: Describe what Razorpoint does.
Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.
Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.
Crainsny.com: How do you convince executives that their networks are vulnerable?
Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.
Crainsny.com: What are the most common holes you find in computer systems?
Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.
Crainsny.com: What do companies need to do to make their systems secure?
Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.
Crainsny.com: What changes did you see after 9/11?
Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.
Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?
Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w
I have no pants and I must scream
he is an expert in attack/penetration testing :-D
tat tat ta
Um...was he ever in jail?
I had the same feeling, it was a particular feeling in the back of my throat; of course I didn't know why I felt turned off by the article.
I guess it seems kind of hokey. The guys who KNOW security tend to not be so outward about it.
Black holes are where the Matrix raised SIGFPE
The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."
SuPz.orG
confused philosopher = donkey
donkey = six letter word
six letter word = hacker
therefore confused philosopher is a hacker.
Why slashdot? Why not?
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
I agree completely. Althogh, I think it would be kind of funny if they were doing it over IRC and someone took over the room.
"WhiteHat just got slapped by a dead fish"
"Fdawg is now op"
"Fdawg - Hi mom!!"
"WhiteHat was just kicked by fdawg's mom"
Some security.
It's cracker dammit...
.: Max Romantschuk
I guess being held in high disregard would be having nobody really aware that you're there?
-raph
Maybe the title should instead be "White Hat Hacker Breaks Wind"
Done.
You have four moderator points left.
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
Look forward to script kiddies among others trying to hack the broadcast to gain noteriety.
I think this will be interesting to watch too.
in girum imus nocte et consumimur igni
So is there a similar type of thing going on with hackers as there is with general employment?
White Hat Hackers
Blue Hat Hackers
Labor Union Hat Hackers
Slave Labor Hat Hackers?
(Refering to the entire "white collar" idea...)
I got nothin'.
The word is "cracker" not "hacker" I'm neither but at least I know the difference. Thanks a bunch.
Remember people, CAPS LOCK does, in fact, make you smarter. I work at an investment firm in Milwaukee. Most of our computers run windows. However, the main application that the traders use is, in fact, written entirely in Java. The operating system has not limited our ability to use competetor's products in the slightest. We have .NET apps in production right along side the Java based applications.
Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well.
I find it interesting that you choose to find one of the more obscure points in the article and turn it into the start of an MS vs Java offshoot, which is hardly what this article is about.
JavaMonk indeed :)
I was under the impression that @stake was formed by former / current L0pht Heavy Industries members? . While they might know their stuff, are they the people you want "protecting" your network? Shrug. Just a thought
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
Absolutely. If you were coding for twelve years, you'd immediately have demonstrated tremendous commitment, which is a Big Plus in employers's eyes. One can assume you would have sought out information on the www, usenet, irc, etc, if you were that interested.
Where I work, every student we've ever had on co-op was the pits, in one case years of schooling did not teach "how to not destroy client equipment and data."
In my experience, the people who go to IT school are doing it because they heard there was big money in computers but didn't have the direction to go about it themselves. This is not the kind of person I want working for me.
Here's another example. I am somewhat interested in computerised physical simulations. I will spend some time doing various physics simulations in OpenGL, or whatever. This is entirely self-taught at my own pace.
I was recently speaking to somebody about his education in the same field. He made an interesting remark: "Next year, I get to apply calculus to physics!" It occured to me that school was not helping him, but in fact crippling him!
"[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
The 2 most overrated fields in IT are definatly
1) Security
2) Video Games
Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).
Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.
Wow -- do you have a deep, evil villain's voice?
Sorry scanning a box and running an exploit against some unpatched daemon does not suddenly make you an expert on secure software engineering practices.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
--Matthew
Eerily this Gary Morse guy reminds me of John Vranesevich.
Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well.
Then you have low expectations of your systems. I expect my web server to run on most available platforms, same for my database server, and I will try my best to make my middle layer be flexible as well. I do not expect my own solutions to restrict me to a single path dictated by a single corporation. If you choose to predominantly use MS-specific solutions, you are doing just that.
Now, I am not saying that's what you do, I am just commenting on the point that it's OK to be locked in. It's not "OK", unless it's by choice or a very good set of reasons.
Car comparison is not really valid. If you drive a Ford and start liking a new Toyota model, you can trade it in the next day; don't try that with any corporate systems, especially if you are locked in to a single vendor.
IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.
The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.
Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
I was investigating anonymous proxy servers that were abusing our system, and was setting my browser to random proxies to see how they were working (most of them did pretty well). I forgot to change back off of the proxies to come to /. , and got a big message about how I couldn't access from there, because of abuses.. Perfectly reasonable, since I found them through abuses on my network. :)
:)
So, consider the timeout a good thing. At least you haven't been banned by the gods.
Serious? Seriousness is well above my pay grade.
If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.
Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Do you actually work in the real world?
;)
Remember, McDonalds doesn't count as we are talking about IT.
CodeMonkey job at video game firm might be boring. Don't know. Don't know anyone personally working in that field. Database app codemonkeying was interesting for as long as I had problems. It got extremely tiresome when I got stuck in the "support" phase.
If you like to trace raw HD dumps and cracking crypto to reveal originator of an instrusion, then the security sector might be just for you. Done that twice. Once with my own box that gor rooted, once with companys server. Both just of sheer curiosity on my own time because I find the above mentioned things interesting and intellectually challenging. Ofcourse, once I would get good at it, I'd prolly get bored of that too.
You don't state what you do for a living. Or even what you'd like to do and what you might find interesting. I have found out that I get bored to one labour pretty quickly.
If you are like me, go work for a contracting firm. I like this. Once I get bored with one job, I just tell that to my superior and we will negotiate another place to work for me.
This far I have had just short contracts varying from 3 months (Porting Symbian code from device to another) to 2 years (my current job as a software integrator.).
You also get an impressive resume quickly
Bot Assisted Blogging
What article did you guys read, and why are people modding these as "insightful"?
THERE IS NO ARTICLE LINKED TO IN THIS NEWS ITEM.
In fact the link goes to a place you can post questions which may be asked in a chat which has not yet taken place.
C'mon mods... at least read the news story and links before modding troll posts like this.
You obviously dont have fucking clue what your talking about....so lets lay down a few facts first that arnt biased by your knowledge/experience (or lack there of) or my urge to find you and slap you first before we draw any conclusions.
Security is not an overrated field...its a field worth hundrends of billons of dollars a year....no its not overrated...when you have a field were consultants can bill upwards of 1000 dollars an hour...no its not overrated to have a community behind it. Security is a field in wich hundreds of thousands of people in North America alone work in proffesionally....all day every day...not just doing codeing, but doing research, and research that has changed many aspects of the internet over the past 10 years.
Real security that is done by large firms, is not code dependant, in fact, codeing only makes upa bout 10% of the time a proffesional consultant spends on average working a contract.The security we talk about here, and the security wich is regarded when people talk about the security community is very real and very importnat, and involves very little coding. its not a code monkey job. And it requires much more skill, and experience to do than just a random coder can.
Security is not about thwarting scumbag employees or script kiddys, these people use known exploits that a patch gets coded for and then a few millons systems get patched.
The security that we are talking about here involves the use of bugs, explits and holes in system design that are not known and not readily visible. The people who find these, and are smart enough to find these are usally black hat hackers, they are the people the security community is after, since you obviously dont know about this, i'l have to define it for you like i have to with everyone who donst know what goes on past their desktop
A black hat hacker is being paid by one person to get information from another hacker. Fourtune 500 companies do this often. They send hackers after their most threatining competion, in an effort to get design specfications, or other documents that could give them the edge over the company. Other black hat hackers are running billon dollar credit card or other line of credit scams, they go after major companies accounts recivables, they take the credit information, and exploit those credit lines for as much as they are worth...then take the money and run.
These hackers use techniques that they devlop, and the rest of the world dosnt know about, so proffesionals (ie - security people that you were just calling "code monkies") have to constantly look for possible ways that software could, ina hypathetical scenario, be broken. And then generalise these breaks into a more general type of attack (ie buffer overflow attacks) and then design a general methodoligy to countery them, this is what gets handed off to indivudal coders to code solutions for individula applications. The actual security community doesnt do a whole lot fo coding. Yet by your definition, we are all code monkeys.
Is it boring? Not generally, but that depends who you talk to. Is it a Coding Job? is it something that is done by random CS students or code monekys? No. It isnt. Unfortunalty before making your post you didnt bother to actually consult the facts. Perhaps if you were able to understand what goes on in the security industry you would understand why you are so wrong.
(subject body here)
I'm smarter than the average bear.
It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.
I imagine that is why they asked the question.
~cHrisIt's also why so many unrelated, futile, and in some cases counterproductive "security" measures were adopted in the aftermath of the attack.
Paul "Say no to feeping creaturism"
How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
Utter garbage.
That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.
There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.
Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.
Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.
Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.
All but the stupidest of employers care vastly more about experience than education.
Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.
Serious crackers are *not* suitable canidates for security experts.
And while I'm being soooo off topic here, it might not be a bad business decision to start manufacturing cross-compatible car parts.
Think of it. I've done the maths once (for fun) and the cost of rebuilding my car from scratch with parts, would be 5 times higher then to purchase it from the dealer. This means that they take a higher markup on parts, and since they always break down, one company could make massive money just manufacturing parts, and not going through the hell of manufacturing the whole car. The car business is just a way for them to create potential customers for parts.
Secondly, think about the ecologic impact cross-compatible parts would have. You dont need 10 different gas pumps (for example.) you can have only one model that fits 10 different cars. This way you get to reduce the amount of gas pumps on inventory, which will eventually find their way back to nature if they dont get used.
Now for the open-source angle, so I don't get modded down into oblivion... I've seen the advocacy of re-usable code thrown around so many times. Write once, use many, yadi yadi yada... Why not the same for car parts ? There is only so much tuning you can bring to a piece of code. Once you're there, what can you do ? Pull a Microsoft on it, and make sure it won't work with the next version, so they have to purchase your next version which consist of the same exact code, plus the compatibility flag checked in at compile time.
So let's calculate here... -1 Offtopic, +1 insightful, +1 informative, +1 funny, -1 troll, +2 posting bonus, so I should end up at +5 funny or something... Thank god for Slash moderation
Smile... You're dying already, it's only a question of time...
Marriage is considered capital punishment for the theft of a goat in some third world countries...
The idea of discriminating due to previous hat color
is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
exploited entire countries. I never went out of my
way for publicity, but some of my exploits were
publicized. I was quoted in a few places. This was
all when I was younger, and not so wise.
I changed.
There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
game never dies, but you have to face reality. I work for a very successful company doing security.
I have taken their policy and general operation
and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.
This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.
At least wait until the trial is over and then decide if one is worthy of employment.
For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.
It's a nice website, but I haven't read anything on it that lead me to think they have more than just a basic understanding of network security.
razor point security whitepapers whitepapers
I dont see any bugtraq posts either...
Microsoft aggravates my tourettes syndrome.
From USA Today: Chat with Gary about keeping your computer safe from hacking and viruses.
Yeah, I'm sure Manhattan's uber-elite white hat hacker wants to spend his time answering questions like "I can't find my email. Did a hacker take it, or does my computer just hate me?"
$8.95/mo web hosting
Never heard of the guy! Is he all that big?
-- I am. Therefore, I think!
-----------
Together, we will drive the rats from the tundra.
You underestimate the power of the dark side.
My beliefs do not require that you agree with them.
Secondly, think about the ecologic impact cross-compatible parts would have. You dont need 10 different gas pumps (for example.) you can have only one model that fits 10 different cars.
Even further off-topic..
Most car designs do include cross compatible parts within one company. Some manufacters more then others. Using Ford for an example. The radiator for my Mustang fits just about every V8, many 6's and even quite a few 4 cylinder engines made by Ford/Lincoln/Mercury from the mid 70's to the upper 90's. Not as compatible but many of the ignition parts, emmisions controls, brakes, alternators, PS pumps etc.. are the same across the line. Another example is compatibility across the lines, an example being.. The larger diameter rotors and calipers off of certain Lincoln's and Thunderbirds and directly bolt on a Mustang with no modifications. Since there is a good third party supply of all these things they tend to be available anywhere and cost much less. I don't know if the ecological impact is any better though as stated. You need a specific quantity of replacement fuel pumps regardless of what type. How would fewer models but the same quantity represent less waste?
Bad boys rape our young girls but Violet gives willingly.
19:51 9/5/2546
... of course i'm going to use it, and some more. YOU should go to prison
...
...
...
... so do your programming.
...
...
...
... ...
....
TOPIC: Evil computer-user
hey! no black hat, no white hat, eh? invers of no sunshine no shadow.
just because i found out you programmed something stupid/cheap/sloppy and are acctually earning money from it,
doesn't make me evil
for making a cheap product and actually charging money for it.
come on 99.9% of the internet is email. finish. MEGA-REDUNDANT.
why don't they just make computers and a network for that.
should be easy to keep that secure
computers: it's made for programming. people did alot "not-correct" thru history.
it's still funny you can go to jail for sending these few electrons thru her and not there
now if i send these electrons thru here and not there, and you/person would vanish,
now THAT would be serious.
like going to prison for making a short. maybe the should go arrest
those particle-beam-accelerator-scientists...
how can you ACTUALLY call sending-electron-around WORKING?
how can you actually get paid to make sound-waves, e.g TALK?
anyways, it's not like english and our character-set is universal
as far as i know computers are made for programming
but HELP!, what ARE they encrypting? the big companies? i know, so
the NYSE-cops don't know they're doing an insider-job again with the next merger
see there are evil persons everywhere, some just don't get catched
why don't we call a good programmer a white-hat and a sloppy programmer a black-hat?
the WHOLE sec. issue is because they are LAZY, they are trying to CRAM everything into
one protocol(IP/TCP) and network (INTERNET).
the big companies which do work in all countries around should get their own. i mean it.
it's not expensive. lay some cables, security is complete.
it stays there, like one of their super huge skycrappers. can't be more expensive
let the poor-normal-people have their internet. go get your own.
i can't fly (nature didn't make us to fly), so i build a plane.
i hacked the univers. is it going to sue me (it's a safe plane!)? NO!
NO for security, serious, WHY? Nobody knows anything of importance anyway.
and if you're one of those who think just because you know something nowbody else knows, which
makes you have a meaning in life, well, i can smell them from a mile away (and it's probably
some bogus information like "i know who your wife sleept with", wah *yawn*).
the only reason why you have to hide stuff, is like werner heisenberg said "Die Verantwortung des Forschers",
meaning the scientist is responsible for his findings. some dummy (say military) would just get the plan and
blow up the whole planet.
science is funny: you can actually make stuff work, without understanding why it works.
but if i hack your bank-account an make you a billion poorer, who cares:
first: you got another 5 billion.
second: i can't spend it anywhere else but here, this planet.
maybe the huge-company guys just lament to the PUBLIC bout security. In realty they
meet at the polo-club, eat lunch together and have a good laugh about the "security-issue".
if this is true they invented 'security issues" because they are suddenly afraid the general public
would start discusssing stuff seriously and would find out that they are actualy doing nothing
the internet should stay OPEN! if you want to keep a secret don't tell, don't put it on a
computer that's on a open network.
MAEH, sometimes i feel sooo dumb
Face the music boys and girls. Hacker and Cracker are indeed synonyms now. We lost that battle. Time to move on.
Even CowboyNeal knows that or he wouldn't have used "Hacker".
We dont expect Ford to make parts that fit in a Toyota as well.
c e/cars/08 03hybrid.html ...not to mention all of the engine & axle swaps that I've seen among Fords, Toyotas, Jeeps, and Chevys, among others.
I wouldn't make statements like that unless I knew better:
http://www.azcentral.com/class/marketpla
Nope, the use of free software is a practical security consideration on the desktop. Like it's "server" counterparts, there's a rational user model, greater choice, higher quality, easier upkeep and lower cost. These lead to greater security through extra barriers, diversity, fewer bugs and more time and money spent on things that matter. The ideology makes it this way but a consultant does not have to mention that in a short answer such as the one above. Anone who would ignore free software as an option on the desktop is blinding themselves for one reason or another.
I may not be very bright, but I'm not blind and I use free software. This message was posted from a currently stable Debian box sitting behind a Debian packet filtering firewall. To the best of my knowledge, I've never been rooted and the strange things that used to happen to my Windoze computers don't happen anymore. This proves that free software, such as Debian and Red Hat, is not difficult to install or keep up.
It's only a matter of time before places like Key Largo build up statistics that proving that free softare is more secure than it's comerical counterparts.
Friends don't help friends install M$ junk.
"Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold." what the hell he thinks?
The white hackers are good?! Just another attempt to bring down the black man.
However, the applications that you install on that Operating System can be compared to the utility functions of truck. So a Office Suite can compare to a truck-bed camper, or a trailer hitch, or the trailer itself. Maybe you throw some shelving in the back of the truck, or a wielding unit. This would compare to your web server apps or your database apps.
That having been said.. I would expect Ford to offer trailer hitches that fit any trailer in the industry. Or if Ford decided to start making trailers, I would want that trailer to work on my Toyota, Dodge, or Chevy. You see, Microsoft is in the business of making trucks, campers, camper-shells, trailers, weilding units, bed cabinets, etc. But those utility features only work for Microsoft's 'trucks'. No one else's trucks.
Consider this (however)... If 90% of America drove Ford cars. And 40% of companies bought Ford work trucks.. Why would Ford make utilities modules for anything but their own autos.
2. d00d, free kevin.
3. d00d, W1Nd0z3 suX0rz.
Manipulate the moderator system! Mod someone as "overrated" today.
I tought this was a one off, but hell, it's getting interesting
Say that theoretically, Ford, Mazda, and Toyota each manufacture 5 cars. We have 15 cars. So 15 gas pumps total.(all different models.)
Not all of the 15 gas pumps are going to break. But the manufacturer has to stock parts for all 15 models. If they had a universal gas pump, they could stock one each for their 5 cars. If one runs out, they still can rely on the other two. As it stands, they each stock up on 5 gas pump models, some of which will never leave the shelf during the useful life of the car (5yrs after it's out of production.).
So I do believe that having a universal model would reduce the amount of pumps in stock/returning to nature.
Marriage is considered capital punishment for the theft of a goat in some third world countries...
FWIW, you didn't exist prior to the existance of this story. Not that it matters, the editors are probably just sloppy and lazy. Screenshot showing proof is here.
My journal has hot
If their terminal uses red text, they are definately evil black hats... but if it is green or blue then they are on the side of good and justice and are white hats.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
What do you mean, the digital equivalent of 9/11? The physical one wasn't enough? People were given extra time, or released from obligation, for their tax returns. Computer systems for many, if not all of the companies housed in WTC were crippled, as well as many things hosted there. Phone traffic in NYC was congested and crippled. Economic shock was incurred in part due to the human loss (which was actually small, just concentrated) and corporate disruption, but also from IS disruption of financial systems. You may not have heard, but redundancy is part of security. So, does it tie in? Yes.
Sure I'm paranoid, but am I paranoid enough?
;^) Black is not a color, it is the lack of it.
Nah. Nothin' personal. Just proving a point.
My journal has hot
Comment removed based on user account deletion
I would not recomend any such sofware, free or not. I trust the people at Debian to filter out backdoors and spyware. That's something you can do when with free software. I will trust Sun and other reputable comercial software if forced to. I will never trust Microsoft which has backdoord multiple programs, written their EULAs so that they can continue doing this and don't alow 3rd party compilation and verification of their source code for any reason.
A memory is a nice thing to have. You might consider using yours when chosing an OS to "touch any computer other than a goat box."
Friends don't help friends install M$ junk.
Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold.
Exactly how the hell would he know? If you get caught, you weren't a terribly good hacker to begin with. If you don't get caught, then Morse wouldn't know dick one way or another what it is that you've done in the past, except for those things you decide to put on your resume.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Nonsense! The fact that software is free makes a huge difference.
Free software is further ahead than comercial code and there is little chance of comercial code catching up. What kind of reviews do you think M$ Money got in Microsoft's big security hug. How about any of the other code that Microsoft has bought and rebranded? Do you think any of it was written in a way that even aproaches the Unix standard that free software is built on? Do you think people using pirated M$ visual C in Indian sweat shops are going to do any better? The very fact that a pudknocker like me is having this conversation shows the power of free software. We are more than eyeballs. We start from a better postition we care and we get good advice. People making comercial code start with nothing and bang out code someone else, generally clueless, tells them to write.
The massive imbalence shows up in patching. When flaws are discovered, free software is much faster at fixing the problem. The people who cared about the software to begin and dozens of helpers swing into action and a fix is out in a few hours. In the comercial software world, you are lucky if the person who wrote the code even works there. If the poor devil does not get canned, he will have to refresh his memory because the company will have kept him busy with other stuff he may or may not care about. The result is that it takes the company days, weeks months or never to fix the problem.
This all adds up. The comercial software writer is handicapped in the software he starts with and is outmaned and poorly motivated. This is why free software has such good uptimes and does so much more with your hardware. My silly little P90 laptop with 24 MB of RAM and 1 MB of video RAM has multiple desktops, ethernet, 802.11 and a 56.6k modem and supports a 5 Gig hard drive the bios never invisioned. Windoze won't even run on it anymore and the version it came with would never see the networking equipment, the hard drive or give me more than one desktop or accept x-forwarding. Sure, it can be broken into, but it takes more effort and skill than the average script kiddie's got.
Friends don't help friends install M$ junk.
... and i know how my lan is wired. what does this have to do with security? never once did he mention anything about on-wire data, his penetration tests apparently involve nodes only.
my money is on him not being able to penetrate a wet paper bag.
paul
This is not true. You are absolutely free to examine and reverse engineer software products in order to find security holes. What the DMCA prohibits is traficking in circumvention devices. Very few security advisories have anything to do with copy protection. While I think the DMCA is a bad law, you are exaggerating its scope. If I'm wrong, please tell me what "in-depth" activities that really should be legal have been outlawed as "computer terrorism".
Your point would be valid, in an alternate reality where this "white hat hacker (cough)" did not have his chat advertised on Slashdot.
But, alas, it was. And now, instead of 750,000 interested Slashdotters (as you claim), there are 750,000 * (boredom ratio) Slashdotters who will be planning some sort of cyber attack on the chat in question in order to show that they have stronger l33t fu than this sad "security guru" who, in his infinite wisdom, just bought a karma pass on the ride of hideous evil madness that is geek one-upedness.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator