Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Bash, Korn or Csh?
Inquiring minds want to know.
Thereby driving up page hits and ad views.
I think I'm on to something here.
best patent that idea...
ooh..trolling = profit
aww..cmon, someone chime in with the profit model, and something about soviet russia, this wont be a good post w/o it...
*shrug*
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?
Frankly I find him a breath of fresh air.
That's just the thing, though, that I try to explain to my friends. When hackers hold a security person in high "disregard", it isn't that they dislike them. They really respect people the people like Morse because he gives them exactly what they want: a challenge. On the other hand, script kiddies dislike Morse because he makes sure they have to actually use intelligence to execute an attack on public networks.
Actually, I can understand this, being held in rather "high disregard" myself in some circles.
Ah, the joys of being the "Prince of Insufficient Light"
You are in a maze of twisted little posts, all alike.
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
"Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers " keep in mind things have changed a lot since he devoloped his 'code' sends out a "dot dot dot - dash dash dash - dot dot dot - i'm being hacked!!! " the first bit was SOS in morese code if you didn't know Steve
"What about those [hackers] who've been sitting under the heat lamps?"
Those computer geeks will not be cold and clammy, they'll just be clammy.
Why slashdot? Why not?
Here is the text of a recent interview with the
reclusive security wonk from Crain's New York Business.
On the job with...
Gary Morse
Founder and CEO
Razorpoint Security
Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.
The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.
Crainsny.com: Describe what Razorpoint does.
Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.
Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.
Crainsny.com: How do you convince executives that their networks are vulnerable?
Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.
Crainsny.com: What are the most common holes you find in computer systems?
Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.
Crainsny.com: What do companies need to do to make their systems secure?
Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.
Crainsny.com: What changes did you see after 9/11?
Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.
Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?
Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w
I have no pants and I must scream
he is an expert in attack/penetration testing :-D
tat tat ta
Um...was he ever in jail?
I had the same feeling, it was a particular feeling in the back of my throat; of course I didn't know why I felt turned off by the article.
I guess it seems kind of hokey. The guys who KNOW security tend to not be so outward about it.
Black holes are where the Matrix raised SIGFPE
The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."
SuPz.orG
confused philosopher = donkey
donkey = six letter word
six letter word = hacker
therefore confused philosopher is a hacker.
Why slashdot? Why not?
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
I agree completely. Althogh, I think it would be kind of funny if they were doing it over IRC and someone took over the room.
"WhiteHat just got slapped by a dead fish"
"Fdawg is now op"
"Fdawg - Hi mom!!"
"WhiteHat was just kicked by fdawg's mom"
Some security.
It's cracker dammit...
.: Max Romantschuk
Maybe the title should instead be "White Hat Hacker Breaks Wind"
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
Look forward to script kiddies among others trying to hack the broadcast to gain noteriety.
I think this will be interesting to watch too.
in girum imus nocte et consumimur igni
So is there a similar type of thing going on with hackers as there is with general employment?
White Hat Hackers
Blue Hat Hackers
Labor Union Hat Hackers
Slave Labor Hat Hackers?
(Refering to the entire "white collar" idea...)
I got nothin'.
The word is "cracker" not "hacker" I'm neither but at least I know the difference. Thanks a bunch.
Remember people, CAPS LOCK does, in fact, make you smarter. I work at an investment firm in Milwaukee. Most of our computers run windows. However, the main application that the traders use is, in fact, written entirely in Java. The operating system has not limited our ability to use competetor's products in the slightest. We have .NET apps in production right along side the Java based applications.
Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well.
I find it interesting that you choose to find one of the more obscure points in the article and turn it into the start of an MS vs Java offshoot, which is hardly what this article is about.
JavaMonk indeed :)
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
The 2 most overrated fields in IT are definatly
1) Security
2) Video Games
Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).
Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Eerily this Gary Morse guy reminds me of John Vranesevich.
Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well.
Then you have low expectations of your systems. I expect my web server to run on most available platforms, same for my database server, and I will try my best to make my middle layer be flexible as well. I do not expect my own solutions to restrict me to a single path dictated by a single corporation. If you choose to predominantly use MS-specific solutions, you are doing just that.
Now, I am not saying that's what you do, I am just commenting on the point that it's OK to be locked in. It's not "OK", unless it's by choice or a very good set of reasons.
Car comparison is not really valid. If you drive a Ford and start liking a new Toyota model, you can trade it in the next day; don't try that with any corporate systems, especially if you are locked in to a single vendor.
It's probably an inappropriate question only because it is too specific, imho. One of the first things I'd probably ask a guy or girl who is known for his experience and expertise in security would definitely be something along the lines of:
"Given the increasing interest of the business world about OSS, what are, in your opinion as a security expert, the advantages if any and disadvantages that you know about of OSS when compared to closed source software?"
One might argue that this is too generic as a question, or that the question "begs for a particular sort of answer". I would encourage answers that are as objective as possible though.
--
My other computer runs FreeBSD too.
IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.
The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.
Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.
Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Do you actually work in the real world?
;)
Remember, McDonalds doesn't count as we are talking about IT.
CodeMonkey job at video game firm might be boring. Don't know. Don't know anyone personally working in that field. Database app codemonkeying was interesting for as long as I had problems. It got extremely tiresome when I got stuck in the "support" phase.
If you like to trace raw HD dumps and cracking crypto to reveal originator of an instrusion, then the security sector might be just for you. Done that twice. Once with my own box that gor rooted, once with companys server. Both just of sheer curiosity on my own time because I find the above mentioned things interesting and intellectually challenging. Ofcourse, once I would get good at it, I'd prolly get bored of that too.
You don't state what you do for a living. Or even what you'd like to do and what you might find interesting. I have found out that I get bored to one labour pretty quickly.
If you are like me, go work for a contracting firm. I like this. Once I get bored with one job, I just tell that to my superior and we will negotiate another place to work for me.
This far I have had just short contracts varying from 3 months (Porting Symbian code from device to another) to 2 years (my current job as a software integrator.).
You also get an impressive resume quickly
Bot Assisted Blogging
What article did you guys read, and why are people modding these as "insightful"?
THERE IS NO ARTICLE LINKED TO IN THIS NEWS ITEM.
In fact the link goes to a place you can post questions which may be asked in a chat which has not yet taken place.
C'mon mods... at least read the news story and links before modding troll posts like this.
It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.
I imagine that is why they asked the question.
~cHrisHow do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
Utter garbage.
That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.
There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.
Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.
Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.
Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.
All but the stupidest of employers care vastly more about experience than education.
Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.
Serious crackers are *not* suitable canidates for security experts.
And while I'm being soooo off topic here, it might not be a bad business decision to start manufacturing cross-compatible car parts.
Think of it. I've done the maths once (for fun) and the cost of rebuilding my car from scratch with parts, would be 5 times higher then to purchase it from the dealer. This means that they take a higher markup on parts, and since they always break down, one company could make massive money just manufacturing parts, and not going through the hell of manufacturing the whole car. The car business is just a way for them to create potential customers for parts.
Secondly, think about the ecologic impact cross-compatible parts would have. You dont need 10 different gas pumps (for example.) you can have only one model that fits 10 different cars. This way you get to reduce the amount of gas pumps on inventory, which will eventually find their way back to nature if they dont get used.
Now for the open-source angle, so I don't get modded down into oblivion... I've seen the advocacy of re-usable code thrown around so many times. Write once, use many, yadi yadi yada... Why not the same for car parts ? There is only so much tuning you can bring to a piece of code. Once you're there, what can you do ? Pull a Microsoft on it, and make sure it won't work with the next version, so they have to purchase your next version which consist of the same exact code, plus the compatibility flag checked in at compile time.
So let's calculate here... -1 Offtopic, +1 insightful, +1 informative, +1 funny, -1 troll, +2 posting bonus, so I should end up at +5 funny or something... Thank god for Slash moderation
Smile... You're dying already, it's only a question of time...
Marriage is considered capital punishment for the theft of a goat in some third world countries...
The idea of discriminating due to previous hat color
is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
exploited entire countries. I never went out of my
way for publicity, but some of my exploits were
publicized. I was quoted in a few places. This was
all when I was younger, and not so wise.
I changed.
There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
game never dies, but you have to face reality. I work for a very successful company doing security.
I have taken their policy and general operation
and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.
This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.
At least wait until the trial is over and then decide if one is worthy of employment.
For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.
From USA Today: Chat with Gary about keeping your computer safe from hacking and viruses.
Yeah, I'm sure Manhattan's uber-elite white hat hacker wants to spend his time answering questions like "I can't find my email. Did a hacker take it, or does my computer just hate me?"
$8.95/mo web hosting
You underestimate the power of the dark side.
My beliefs do not require that you agree with them.
FWIW, you didn't exist prior to the existance of this story. Not that it matters, the editors are probably just sloppy and lazy. Screenshot showing proof is here.
My journal has hot
If their terminal uses red text, they are definately evil black hats... but if it is green or blue then they are on the side of good and justice and are white hats.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling