Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Bash, Korn or Csh?
Inquiring minds want to know.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?
Frankly I find him a breath of fresh air.
Actually, I can understand this, being held in rather "high disregard" myself in some circles.
Ah, the joys of being the "Prince of Insufficient Light"
You are in a maze of twisted little posts, all alike.
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
"Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers " keep in mind things have changed a lot since he devoloped his 'code' sends out a "dot dot dot - dash dash dash - dot dot dot - i'm being hacked!!! " the first bit was SOS in morese code if you didn't know Steve
Here is the text of a recent interview with the
reclusive security wonk from Crain's New York Business.
On the job with...
Gary Morse
Founder and CEO
Razorpoint Security
Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.
The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.
Crainsny.com: Describe what Razorpoint does.
Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.
Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.
Crainsny.com: How do you convince executives that their networks are vulnerable?
Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.
Crainsny.com: What are the most common holes you find in computer systems?
Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.
Crainsny.com: What do companies need to do to make their systems secure?
Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.
Crainsny.com: What changes did you see after 9/11?
Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.
Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?
Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w
I have no pants and I must scream
he is an expert in attack/penetration testing :-D
tat tat ta
Um...was he ever in jail?
The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."
SuPz.orG
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
It's cracker dammit...
.: Max Romantschuk
Maybe the title should instead be "White Hat Hacker Breaks Wind"
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
Look forward to script kiddies among others trying to hack the broadcast to gain noteriety.
I think this will be interesting to watch too.
in girum imus nocte et consumimur igni
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
The 2 most overrated fields in IT are definatly
1) Security
2) Video Games
Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).
Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Thanks! I was trying to think of who this reminded me of; Steve Gibson in a Nutty shell (bash flavored).
I do not doubt that there are people out there who have never broken any laws and are decent, if not excellent, security types.
However, since it's been illegal to do ANYTHING with a computer since the DMCA and Patriot Act came out, that type of expert is obviously a breed rapidly approaching death.
If a person is acquiring security skills in this day and age, that person is in the law's eyes a black hat.
Why, yes, I AM a Pagan Libertarian.
IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.
The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.
Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.
Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Do you actually work in the real world?
;)
Remember, McDonalds doesn't count as we are talking about IT.
CodeMonkey job at video game firm might be boring. Don't know. Don't know anyone personally working in that field. Database app codemonkeying was interesting for as long as I had problems. It got extremely tiresome when I got stuck in the "support" phase.
If you like to trace raw HD dumps and cracking crypto to reveal originator of an instrusion, then the security sector might be just for you. Done that twice. Once with my own box that gor rooted, once with companys server. Both just of sheer curiosity on my own time because I find the above mentioned things interesting and intellectually challenging. Ofcourse, once I would get good at it, I'd prolly get bored of that too.
You don't state what you do for a living. Or even what you'd like to do and what you might find interesting. I have found out that I get bored to one labour pretty quickly.
If you are like me, go work for a contracting firm. I like this. Once I get bored with one job, I just tell that to my superior and we will negotiate another place to work for me.
This far I have had just short contracts varying from 3 months (Porting Symbian code from device to another) to 2 years (my current job as a software integrator.).
You also get an impressive resume quickly
Bot Assisted Blogging
What article did you guys read, and why are people modding these as "insightful"?
THERE IS NO ARTICLE LINKED TO IN THIS NEWS ITEM.
In fact the link goes to a place you can post questions which may be asked in a chat which has not yet taken place.
C'mon mods... at least read the news story and links before modding troll posts like this.
It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.
I imagine that is why they asked the question.
~cHrisHow do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.
Utter garbage.
That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.
There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.
Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.
Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.
Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.
All but the stupidest of employers care vastly more about experience than education.
Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.
Serious crackers are *not* suitable canidates for security experts.
From USA Today: Chat with Gary about keeping your computer safe from hacking and viruses.
Yeah, I'm sure Manhattan's uber-elite white hat hacker wants to spend his time answering questions like "I can't find my email. Did a hacker take it, or does my computer just hate me?"
$8.95/mo web hosting
If their terminal uses red text, they are definately evil black hats... but if it is green or blue then they are on the side of good and justice and are white hats.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling