Slashdot Mirror
Inventor of Proxy Firewall Blames Hackers
An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better:
Truly, the only people who deserve a complete helping of blame are the
hackers. Let's not forget that they're the ones doing this to us. They're the
ones who are annoying an entire planet. They're the ones who are costing us
billions of dollars a year to secure our systems against them. They're the
ones who place their desire for fun ahead of everyone on earth's desire for
peace and the right to privacy."
with their hair and thier clothes, and thier music! I can't stand 'em!
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
Here comes 100+ comments attempting to rationalize the need for hackers.
Truly, the only people who deserve a complete helping of blame are the
hackers. Let's not forget that they're the ones doing this to
us. They're the ones who are annoying an entire planet. They're the
ones who are costing us billions of dollars a year to secure our
systems against them. They're the ones who place their desire for fun
ahead of everyone on earth's desire for peace and the right to
privacy."
Ok, but swap a hacker's desire for fun with a software companies
desire to make money without properly taking responsiblity for
securing their product and one could also write:
Truly, the only people who deserve a complete helping of blame are the
software companies. Let's not forget that they're the ones
doing this to us. They're the ones who are annoying an entire
planet. They're the ones who are costing us billions of dollars a year
to secure our systems against them. They're the ones who place their
desire for profit ahead of everyone on earth's desire for peace
and the right to privacy."
It is like a credit card company saying that if someone breaks into
their systems and steals my credit card number, that is my
responsibility - or maybe it is the hackers fault. Well sure, it is
my fault for using a stupid bank, and the hackers fault for committing
the crime - BUT SURELY the bank has to take some fault for making this
whole possible - right?
Blame Canada
bieng the inventor of said firewall they have most asuredly paid your bills for sometime.
I am Bennett Haselton! I am Bennett Haselton!
How dare a large american mega-corperation that wants to keep our private data on their systems and make money off selling it have to spend any money protecting it.
Yes hackers are a pain in the arse, so are spam merchants. Thats life, live with it.
In other news the inventor of the Yale lock blames thieves for the invention of the lock, which irritates us daily.
"They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them."
Hmmm.
I think security measures are always going to be necessary because we will never live in a world where everyone is happy and content not to steal something from someone else.
Call me pessimistic.They should be the first against the wall when the revolution comes.
They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
Yes, because only hackers are the ones that can't be trusted. I guess that is why all the prisons are full of hackers not murderers, rapists, etc...
He is also 100% wrong. No one wants to live in a world where we have to lock our doors. Everyone wants to live freely without worry of being taken advantage of. It is absolutely the fault of the "evildoers" that we must put locks on our windows and worry about the footsteps following us down the dark, reeking alleyway.
But it is also our own responsibility to be sure that we can prevent people from taking advantage of us. This means that we must have those locks and firewalls. To neglect this is to essentially invite attack and intrusion. And if it isn't at the hands of one group, it will be at the hands of another.
We don't live in a perfect world, so it's important that we have adequate locks.
Yak Yak Yak - started it all. Find me some Gibsons!
This argument is stupid. I can spread kerosene puddles all over the house, but be blameless, while the idiot who comes in with a lit cigarette is at fault. He's got it all wrong. I say:
BLAME CANADA!
Let's forget the fact that hackers exist for a moment...
These companies would have millions of customers' data out in the open if they could? Personally, I'm glad there are people out there testing these systems to the extent that they are.
I live in a gated community in a town where crime is essentially zero, but we still lock our doors when we're not at home or when we're sleeping.
Rome builds shitty wall, Emperor blames failure on existence of barbarian hordes.
It'd sound fucking ludicrous to read that in a history book, it's no less ludicrous to read that in a modern context.
Dude, grow a pair.
I can not say I agree with the "hackers" (or rather, blackhats), but this is just ignorant.
Let's say there weren't a lot of crackers. Nobody would even bother about the slightest bit of security. Then one guy would learn enough, and since the lack of security he would be able to root the entire planet. One real blackhat, and we'd all be doomed.
We should thank the hackers.
And if software companies would pay a little more attention to security, the internet would be way more secure. So it's THEM to blame.
They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
I think the real threat is because there are hackers that do it for money. Geez, haven't you been seing the news lately. This excuse is so passe.
Perhaps five or ten years ago it would have been plausible to say that computer criminals were largely breaking into others' machines for fun -- but even then, as Clifford Stoll discovered, there were exceptions. Then it turned into more of an organized enterprise. People controlling most of the infected machines on the Internet are NOT doing it out of curiosity or fun: They are doing it for power, and exploiting that for criminal enterprise.
In the past years, we have seen profit-seeking criminals discover how useful insecure systems are to them. The major disruptions now are not caused by simple thrill-seekers.
programmer => hacker
criminal hacker => cracker
criminal non-hacker => script kiddie
"Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
Is it just me or does this sound like a Onion story?
Sit... Speak.... Shake.... Good Dog!
the firewall or the hacker?
abcdefghijklmnopqrstuvwxyz
How about locks? If only some people wouldn't place their desire for our property ahead of everyone's else's deisre for property and privacy. They make us run around with keys.
Maybe it's sad, but I guess it's just the nature of the beast. Whole other industries exist for these kind of phenomena, and yes, firewalls are included.
Hackers exploit code that is insecure. Who are the ones who make this code insecure, the good guys. So if people weren't so obsessed with releasing products before they have been reviewed for security, or giving programmers time to create more secure applications then hackers would have a harder time doing the things they do. If anything the recent rise in this type of activity has done nothing but benefit the user in the long run because it is forcing companies to develop more secure and efficient code. I mean when's the last time in the last couple of years you heard Microsoft pushing back a windows release to improve security? Although not all hackers are beneficial and sometimes their motives can be questionable, I think in the end they provide some good, and have even helped spawn completely new IT sectors
I love to deploy my packages
(1) These 'hackers' pay your bills ... if there weren't any people testing your systems, I think many systems today would be riddled with more undetected security holes than they currently are.
(2) Most security holes are found by hackers
My favorite line in the article...
Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work.
hey're the ones providing you information for you vulnerability scanning software.
They're the ones giving you an oportunity to earn a nice salary at the end of the month.
"Locks only keep honest people honest." Such is the same with all security measures. Anything that is created by man can be defeated by man.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
They just find the holes and make the tools.
The people doing the damage are low life scum who buy Spam packages from other low life scum, and set up their own little mom and pop operations. Or script kiddies who create zombie farms from tips and tricks learned in IRC rooms.
They probably barely know how computers work, and not a lick of programming. But they can surely run a spamming or DOS script.
We should no more blame the hackers for spam and DOS attacks than we should blame Napster for music piracy, or crowbar manufacturers for house breakins.
And we don't... do we? *checks slashthink manual*
Virus writers, crackers and their ilk are the predators and pathogens of the Internet ecosystem. They kill off the weak and make the rest stronger.
What would you prefer? An Internet full of weak hosts, with a wealth of unexploited security holes and weakly configured security systems, where your security is left up to the good will of others (everybody just play nice now)? Or one where leary vendors and service providers stand in constant vigilance over security issues, because they have to. The wolves are circling the herd.
What would happen if all the 'hackers' just went away? Everyone would get complacent. Security holes would proliferate, until the temptation just became too large and someone takes it all down in one fell swoop.
I don't know where to begin on this one.
If there weren't any burglars around, I wouldn't have to lock the doors of my house.
If everyone would abide traffic rules, the need for airbags etc. would vanish.
This guy is not only complete missing any connection with the outside world, he also forgets that there are thousands of people working in the (IT) security industry, making a living. It may sound silly, but we keep our economy going this way. This is why there are so many economists/therapists/lawyers/communication advisors/etc. around.
I feel like feeding the troll here. Time to knock it off...
*gollum, gollum*
My web domain.
Imagine how far we would be behind the real hackers today if the hackers for fun didn't exploit the weaknesses of yesteryear. We would be stuck with our thumbs up our asses today.
Privacy!? Have you heard of the Patriot Act?
I blame the existence of theft on thieves.
IPv6 should be the future. Do you see a more secure future then?
No, IPv6 isn't going to solve anything.
I liked this line the best. I'm tired of the people who prattle on about how NAT has broken the internet and how IPv6 will negate the need for NAT and solve all our security problems. That line is a bunch of crap and now we have someone of authority acknowledging that. As for the "out of addresses" excuse, don't even get me started.
As nice as it is to think that the world would be in perfect harmony without hackers, it is little more than a pipe dream. Throughout history, humanity has been plagued by the selfish nature of its constituents ('human nature' just does not jive with the 'common good'), and that is a fact I would argue is on par with Death and Taxes. We as a society have to be realistic here, and we as the geek community, the developers of software, have to take the responsibility to make high quality, secure software, because you just can't trust the public. Wasting our efforts by complaining about hackers is foolhardy.
I'd rather be cycling.
One of the reasons Ranum is such a bitter guy is that he never made any money out of his products. He was always working for someone else and never got a piece of the action. When he finally had his own company (NRF) the product we ill defined, then attempted to redefine itself as an IDS, but was never able to keep up with the performance of modern networks.
"They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
And they're the ones you should be thanking. They expose your vulnerabilities and make you secure your system against those who don't just want to hack you for "their desire for fun", but are competing with your company and will use the information they get to bring you down.
By saying the above, the author does not realise that these hackers, though nasty in some way, have a democratic right to express themselves as they please. He should also realise that "one man's meat is another man's poison". That's how democracy works. There are many industries making life out of people's misery. Think about the drug companies and the anti-virus companies. Do you think they want disease and viruses to go away?
From their editorial stance, you would think they are a bunch of pimply-faced 13-year-olds who have never worked in the real world. I see more and more of these troll articles and less and less useful, informative of even fun articles.
hackers improve software by revealing its design flaws. software giants should be thankful for not having to pay experts to search for the flaws.
Having insecurity is a plus to the world as it raises peoples awareness of issues and in the long term security should hopefully improve. "hackers" will get better and better to keep one step in front but at the end of the day if the user is well protected then they will be at a lower risk than those that use windows 2000 or redhat 5.2 with no patches.
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy. ahead of everyone???? wow... where did bush go? the hunger for oil? the mujahideens?
Interesting. Does he also blame "the burglars" for "costing us billions of dollars" to secure our homes against them? For "placing their desire for fun ahead everyone on earth's desire for peace and right to privacy"?
It's very easy (and stupid) to blame problems like these in a poorly-defined class of people. It achieves nothing. It would be far more productive to analyse what exactly makes it possible, easy and acceptable for people to "hack" -- in the sense that most people doing it wouldn't consider to be thieves (I believe), but are happy to invade other people's computers.
If we got rid of all the hackers, wouldn't we still need to secure our networks from governments, criminals, terrorists, rival business, etc?
I think the blame lies with them more then just hackers.
I see every day the results of poor practices, shoddy software, and just plain old stupidity when it comes to security. Fix those first, then worry about the hackers.
LOAD "SIG"
RUN "SIG"
Canada is innocent. I blame it on the Boogie(TM).
Perhaps Marcus secretly likes hackers. Consider the hidden subtext in his statement:
Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
Ask me about repetitive DNA
Obviously this guy has never heard of espionage. *Most* (not all) hackers/crackers get in, poke around, and leave. I've known a few that actually fix shit on the way out, and leave friendly notes (though I think more highly of the do no harm crowd).
The *REAL* danger are corporate spies who not only want your secrets, but also plant spyware, or destroy infrastructure to hamper a competitor. There is also the growing instances of state-sponsored computer cracking whereby poorer nations (particularly the axis-of-evil states) seek to leverage the power of attacking information infrastructures instead of the physical infrastructure. Remember, the US didn't take down the Soviet Union by dropping bombs and shooting bullets. We bankrupted their ass in a nice game of 'keeping up with the neighbors'.
I think that's kind of implicit, but as he says, there would be no need for security without hackers. Of course, his comments are no more insightful than saying it's only because of thieves that we have to spend money on locks. Well, duh.
It's not insightful, but it is true. Hackers are to blame for our current security needs.
While I don't think *cracking* is right ( nevermind arguing the semantics of it ), I don't think it's relevant to complain about them. It's like getting annoyed with bacteria, and blaming it for the invention and need of anti-bios.
Yes, if it weren't for x we wouldn't need y. However, much like bacteria strengthens the body, crackers strengthen our software. Albeit in a round about way.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The Hackers are not available for comments.
In other news, Jonh Key, a bolted lock inventor ended his interview stating: "Truly, the only people who deserve a complete helping of blame are the burglars. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our homes against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
The Sig, the sig
Which idyllic part of Canada do you live in?
The house we bought in the nicest part of Vancouver last year came with security bars on the 1st floor windows, an alarm system and triple locks on the doors. Maybe the previous owner was a bit paranoid, but a private security firm has just started patrolling the area near us due to a rash of break-ins.
Vancouver has the highest rate of car theft in North America hence the arguably successful bait car program.
You might argue that we don't lock our doors in the daytime when we're home, but the number of home invasions is making that less common.
If you don't want to repeat the past, stop living in it.
I also blame the criminals for breaking the law and causing us to build jails, create police forces and cost us billions a year in doing so..
HARTMAN Jesus H. Christ! Private Pyle, why is your footlocker unlocked? PYLE Sir, I don't know, sir! HARTMAN Private Pyle, if there is one thing in this world that I hate, it is an unlocked footlocker! You know that, don't you? PYLE Sir, yes, sir! HARTMAN If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there? With full credit to Kubrick, Herr, and Hasford, there is some wisedom in this quote. If folks would secure their software there wouldn't be a temptation to try to get in. I know that it is impossible to make something 100% secure; however, leaving the door wide open (as many software vendors do) only adds to the problems.
This signature intentionally left blank.
Even though I am on the defensive side, trying to keep my servers safe from crackers, script kiddies and so on, I do apreciate these groups for existing.
If they didn't exist, I would really have felt much more unsafe from espionage and the prying eyes of national and international bodies.
From my stance, confidential information must be very well protected, and if you put available on the internet, you better have secured it or face the consequences.
By knowing that crackers exist, you might hessitate to put important and confidential information online, imagine how it would be if everybody only talked about cracking as teoretically possible!!! Spies would never tell what they do, they would be everywhere! Knowing your accounting, your secret papers, everything, for nobody would care to improve the security of their products from something that was only teoretical... All the good guys would have no privacy whereas only the black hats would be able to move around as they liked.
Face it - the world have all kinds of people - angles, devils, and all sort of people in between. To be hit by someone who expose you is many times better than to be hit by those who simply abuse the information without any words.
Have you never heard the saying "Your freedom ends where my nose begins"? Swing your arms around all you want, but if you swing your arm into my nose, that is a crime. Breaking into someone's computer is morally and legally no more justified than breaking into their house. Nobody would care -- and the computer anti-virus industry would not exist -- if viruses were only targeted at willing victims.
Hacking (in the illegal sense) is just asking for trouble. IMO anyone who does it deserves a few years in solitary... Maybe if they just outright hacked anyones head off who did it, then the others would get a clue and stop. :-P
I blame criminals in general for making have:
* Locks on my house doors and windows
* Locks on my car doors
* The fun of car alarms
* Having to put a key into a car to start it, instead of just having a "start" button
* Lock on my laptop at work (my company is big enough where people will steal a laptop off your desk.
* Not letting me keep piles of cash on my front lawn.
I'm trying to make the point that criminals exist in this world, and you have to deal with it. If you don't protect yourself, you will be prayed upon by the ones that want to do harm to you or others. We are in a world where you have to put up a defensive barrier around yourself, as being an aggressor (attacker) is against the law (being a vigilantly).
Its not what it is, its something else.
the Russian mafia, assorted lesser criminals...
Has this guy ever heard of corporate espionage? Granted, it's probably easier to just do an inside job rather than hack network security... if the security is competently done. I don't think any of the usual suspects would pass up an opportunity to be lazy if the PHBs running their target decided to oblige.
At least with your stereotypical "hackers" you'll know you've been hacked, what with your home page redone in leet-speak and all. Professionals will keep you in the dark as long as possible.
These companies would have millions of customers' data out in the open if they could?
A company should NEVER expose such data to the wild, untamed, lawless public Internet. It should only reside upon networks which are purely internal to the company. The Internet was NOT created to be a corporate WAN link for cheapskates either. Back in the days before the widespread proliferation of the Internet (early-mid 90's) companies used to lease private WAN links from the phone companies or outfits such as MFS, and things were pretty doggone secure until someone said, "hey let's save money by using the Internet as our WAN link instead" and the security problems took off like a rocket when everybody started doing it too. Back in those days, the Internet was not intended or designed for commercial purposes. It was for education, research and entertainment purposes, and life was good. Commercialisation f*cked up the Internet.
The slide of "hacker" from meaning a general type of computer tinkerer to a malicious cracker (please, no redneck jokes) is called a pejoration. It is also a form of word specialization.
A common example is the word meat. It used to mean almost any kind of food, but became specialized to mean non-fish animal flesh. Vestiges of the old usage can be seen in the words sweetmeat and mincemeat.
Another example: the word blessed used to be applied to the simpleminded (please, no red state jokes).
Anyway, you guys lost the word hacker to the greater forces of society, so, well, you need to find a new one.
In other news, burglers are the reason people have to have locks on their doors and windows.
The article is actually pretty interesting. Sure, this guy is very opinionated, but it's an interesting read (the post made that point). His point about who needs to be blamed for the security issues was taken out of out context.
If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup?
There's enough blame for everyone.
Blame the users who don't secure their systems and applications.
Blame the vendors who write and distribute insecure shovel-ware.
Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.
Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.
Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc.
Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.
"Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations."
Can something still be considered slander if it's true??
Time is an illusion. Lunchtime doubly so. - Douglas Adams
Seriously take some responsibility. Yes malicious hackers are annoying and cause damage, but coders writing vulnerable programs are also responsible. If I buy a car and it is found out that there is a known defect that could adversely affect me as the driver what happens... How about not trying to place blame (because if we are then I can point out a lot of software that has the same vulnerabilities over and over and over again...)
News Reporters Make Tasty Polar Bear Treats!
In a related story, the designer of the Great Wall of China blames Mongols.
Don't blame Durga. I voted for Centauri.
mod this story -1 Troll?
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
... wait for it.....
A REDNECK FIREWALL!!!
mu ha ha ha ha.... oh my just breathe...
Oh, and you are not allowed most places to "booby trap" even your own property.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Is anyone ever "truely" secure?
"God of Rock, thank you for this chance to kick ass. "
Everyone's putting this into a context of some sort, so here's mine:
We have cops because there are criminals. But according to the reactions I've seen so far, the cops should be happy we have murderers and theives because they wouldn't have a job otherwise.
What kind of sick, screwed up logic is that!? And why in the heck are people trying to twist the reaction towards this end?
There are hackers, so we created defenses...which in the mirror means we have defenses 'cause there are hackers. We should be thankful there are hackers so we have defenses? Fuck that. And fuck anyone who thinks that.
I have a lock on my front door because there are theives, but I don't go home each night, lock the door, get down on my knees and say "praise the lord there are theives so I can have this lovely door lock!"
It is only prudent that, given that I have something to lose, I should endevour to protect it. Theives (and the like) are not only the reason but the RESULT of having these locks.
So there are these people out there, called hackers, who get some kind of sick joy out of harming, destroying, discrediting and ruining people and their lives. They are the reason for the protections we have, but there is no reason we should be happy we have them. This guy in this article is right, the hackers are a problem and a menace. I say fuck them.
I will not give any glory to hackers. You don't complement the enemy.
The troops are there to protect us from the enemy. I will not thank the enemy for giving me a reason to have troops. I would rather not have to have them. And though we don't live in a WallGreens world, I can't believe anyone would rather have to spend massive amounts of time and money, than not. Fuck the hackers. Fuck their supporters. And fuck anyone who thinks the hackers are just innocent dorks having "fun."
What does this guy have against hackers?
If he's in geek denial I can understand that, and if he has a problem with a particular hacker that compromised his security I can understand being a bit bitter on that one too, but it's no reason to demonise every top-notch programmer in the world with such a broad brush.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
It is all the criminals' fault! It is because of them that I have to buy locks to keep my doors shut and the thieves out of my house.
It is all the clouds' fault! It is their fault that rain comes down out of the sky and I need to carry an umbrella when I go to work in the morning.
It is all the Earth's fault! Mother Nature should be ashamed that these things called earthquakes exist and we have to build our buildings to withstand them!
It is all the Earth's fault again! If the Earth did not rotate, it would be day all the time and we would not have to light up our streets at night. Oh wait...
That should be your, not you're.
It is often about keeping employees 'in'; logging where they go, restricting what services they use, etc. Not every wall is to keep people out. Many places I have seen put far more effort into keeping the employees 'in-line' then blocking outside threats.
*Dramatic drum roll*
...but (hopefully) a measly few of us are crackers.
A LOT OF US ARE HACKERS!
Every so often the media prints bad stuff about hackers. More often than not this is a misnomer. A cracker -- the correct term -- is a person who uses computers to do Bad Things (breaking copy protection, committing electronic break-in and theft, writing viruses, etc).
On the other hand, the term "hacker" describes a skillful and devoted programmer. Yes, hackers break some rules, but so do artists - it's a good bad attitude. To stay in that context, for obvious reasons hackers would no more be affiliated with crackers than artists would with graffiti scribblers (though even graffiti has its good and bad sides), so naturally the "hacker" vs. "cracker" discord perpetuated in the media is uncomfortable.
Anyway, in spite of constant media abuse I will not eschew the word. In fact, I frequently pester journalists about their term misuse, though I realize that attempting to enlighten the media about their misconception is probably a lost battle by now, after years and years of misuse.
But, as they say, you miss 100% of the shots that you don't take.
Go ahead, mod me down. Be a sheep.
"Good news, everyone!"
Bedroom crackers keep us alert about security issues and that's a good thing. We want to maintain that level instead of government level where we fill security holes in fear of having some other country taking over our infrastructures.
There will always be evil so long as there is good and vice versa. One can't exist without the other at least as I understand it.
We all know the magazine, it recently had an article comparing the new GUI of windows XP against the old one of windows 95. Wasn`t that some valuable consumer information?
So,where are the articles comparing how windows XP`s new service pack 2 stacks up agains multics, the fourty year old OS designed mostly under the wings of the US air force? You know, the one designed with security in mind just like the NT kernel?. I can guess the conclusion of the article. "Those who need backward compatability should go with windows and see how much of the shell/browser/other crap they can strip, for everyone else it is either multics or a bi-weekly malware hunt"
The day after this article people will line up in front of compusa demanding a computer that, as always, has the most megahurts, but also doesn`t spend most of its bandwith on DDosingand spamming others on the internet or spend to much of its time at the shop getting the spyware cleaned out.
Hacker are programmers more than anything else and as such are no more responsible then programmers we dont call hackers for whatever reason.
I'd rather have a hacker code up a worm that infests my computer than no hacker doing this. Think about it. If the security holes existed without worms pointing out the obvious holes then who's there for the taking/manipulating your data? Who else but corporations or institutions capable of paying people to do this. No, I say blame everyone equally for sloppyness. Sloppy security practices, sloppy coding etc. It seems the only thing that isn't sloppy is the marketing that makes you buy this crap.
I think we should be grate full for the curious hackers thats tried security out for free during the history of networking and so on. As they have put light on issues that otherwise would have been ignored and then later used to totaly destroy systems/data when someone with a mission of terrorism tried the same thing.
Its offcourse annoying but much preferred to actually be all out attacked when ever a flaw is discovered.
If there had never been any hackers our systems wold be so easy to exploit when one would appear that its mind numbing to think how quickly basicaly every system in the world could be stoped by a single virus. Who cares about servers, think centralized control systems for trafic lights and airports, power systems, etc etc...
God bless the curious hackers
Now that I come to think about it, the human drive that motivates people to attack others - aggression, envy, desire, jealousy, resentment, greed or whatever - are the same human behaviours that we've always displayed throughout recorded history. They didn't stop us moving from Ur to megalopolis, hunter-gatherer to modern societies and so on, and they're not going to stop computers having an overall beneficial effect. Speaking personally, I'd be out of a job if no-one was a threat to my employer, so to be honest it doesn't bother me. It's a callous thing to say but every time there's a big hack that makes itto the news, I mail my boss with the URL and we look forward t ohaving more ammo for demanding more resources and greater input into development and ops practices, for instance. (The 40million Mastercards hack was a great example: it'll probably turn out to be "only" a few tens of thousands of cards, but it's the 40 million figure that the non-technical management will remember - and that will concentrate their minds on the importance of security. (I don't mean _my_ management of course - they take infosec _very_ seriously, which is why they hired me :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
ROLLOFOLLOLECOPTER!!!!
"They're the ones who are costing us billions of dollars a year to secure our systems against them."
Those billions of dollars in system security have created an entire market segment that employs thousands (hundreds thereof?) of people and provides fuel for the economy.
Aside from this, you can't really blame the bad guy by saying "if it weren't for the bad people, we'd all be much better off." Well no shit, Sherlock. The fact of the matter is, there will always be bad people who will cause more trouble than they're worth. So instead of pissing and moaning about the "bad people", just do what you can to provide fewer opportunities for them to do their thing. In this case, that means write better software, design better systems, provide better security tools, etc.
-kidlinux.
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
Damn, I've been hacking strictly for profit. Hours and hours on end of blackmailing small business owners, endless digging through corporate temp folders, sleepless nights coding new trojans... all to make a few bucks. I didn't know it could be fun as well!
-- If god wanted me to have a sig, he'd have given me a sense of humor.
So the hacker. The person doing this because they're naturally predisposed towards thinking outside the neat little security box is at fault. Someone just wants to see if they CAN get on.
This dipshit would rather this stuff be sub-rosa until someone DELIBERATELY does it under the aegis of corporate espionage? Or for blackmail purposes?
Chas - The one, the only.
THANK GOD!!!
Heh, reminds me of a commercial. Guy is playing golf and continues to smash windows instead of in the hole. And his friend says "better luck next time." The bad golfer then goes into his company car, which is for a window repairshop.
What's the point to this post? No point. I like the commercial. Oh, and if it wasn't for hackers, companies would have to develop their own virii to scare people with.
And it's these criminal hackers that put monetary worth ahead of personal integrity that are giving real hackers a bad name. The word "hacker" gets thrown around so wildly sometimes, without any real distinction that there can be good and bad hackers.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
He's correct in his assessment of blame. The people who hack systems, break stuff, spread viruses and bot networks etc are 100% responsible for their actions. They are violating laws left and right with no regard for others.
Yes, insecure code, a lack of a firewall or antivirus software opens you up to potential attacks, or not having the latest security patches. However that doesn't excuse an actual attack.
By the reasoning of most of the posters here, unless your home is as secure as fort knox, anyone who breaks in and steals stuff isn't really to blame... I mean, come on, you could have protected your house better. Put in pressure plates and motion sensors. Try a laser grid on the floor. Armed guards, time sealed doors, attack dogs etc. Anything less and, geeze, you're practically inviting them in to take your stuff!
That's what the Internet is like. You really have to lock up your system like Fort Knox to keep yourself safe. Even then, the burglar could find a spot in the security system that isn't fully covered and get in that way.
The ONLY secure machine is one that is sitting in the corner, surrounded by a lead box, not connected to any network or power supply. A useless machine really.
Those who attempt to maliciously exploit vulnerabilities deserve every once of blame you can possibly assign to them. I personally want to kick the guy in the balls that did the Blaster worm... took weeks to get my old workplace cleared of that thing. Just because it is POSSIBLE to exploit something does not mean you SHOULD exploit it. Too many people online use the reasoning that if it's possible it should be allowed.
It's also the robbers who are responsible for costing us $trillions for locks, security systems, and maintaining a police force.
And they're been doing that for millenia, with no signs of stopping.
Sigh.
I blame Microsoft! Really, I do!
If there were no $ in cracking then there woul dbe no crackers.
If security was handled as it should be, there would be no huge security economy.
If it weren't cheaper to blame the individual whos system/data is compromised, i.e. "identy theft victims", the info woul dbe secure. Making the banks and businesses pay the cost of reconstructing someones financial life would do more for data security than anything done to date.
Hell, even I've had fantasies of glomming huge amounts of cash and data=cash. Were I less interested in inventing oddball stuff and more keen on driving a Lambo and boffing strange on my yacht, I'd have done it a long time ago.
...they'd be impervious to break-in even by a SWAT team backed up with a tank. Doors and windows with locks suffice. But they are not at all resistant to break-in with the most minor of tools as latchkey kids with a coat hanger prove all across America constantly to their parents.
The point is that your system is yours, no different from your home and there is the tacit understanding that no one sees of your home but the facade you put out for them to see. The inside is your own, what your keep there is your own, and no one has the right to invade it. Hackers are no different than misbehaving teen goons who break into homes to mess around and prove they can do it if not to actually vandalize and steal.
We should treat them no differently and those geeks who sympathize with them and in many cases wish they could be them need to stop and understand that their civil rights are everyones' civil rights. If you don't think people have the right to go through your stuff at will without your permission, others have that same right too and those who won't respect those rights need to be punished by society if we're going to keep those rights. Apathy by the masses with regard to their privacy and the privacy of others is guaranteed to destroy their privacy forever.
Mere decency and mutual respect should be enough. Sad that it isn't.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
To say hackers are evil is like saying germs, viruses, and carnivores in general are evil. By merely acting out Adam Smith's society being benifited best by each acting in his own best interests (adapted by John Nash to include societal interests for best outcome), we are keeping in step with mere nature.. A dog will forage for food, defend it's food, and kill it's food, so that it can stay alive. A rabbit will defend against other rabbits if need be (though they'll generally run away from anything else).
A patron is looking for a good deal, and will expend effort to maximize their deal, so sloopy wording on a sign on your store-front are invites to a natural onslaught of fiscal frustration. By natural, I mean there is no evil intent in people trying to keep you for your word in maintaining a good bargain (that you didn't intend).
If there is money on the street, it is conceivable that:
a) the original owner will never find it again
b) someone else will take the money
So you justify taking the money yourself.
If you are hungry, you might be inclined to take two samples at a free food-sample kiosk. It's unfair as it goes beyond the intent of "sampling" and takes away from other's (since there is usually a set amount of sample provided for the day).
In reality, those that are sheltered from such harsh survival of the fittest environments will EVENTUALLY meet with that environment.. It is impossible (short of death) to avoid it. Thus the question is not IF we will meet our challenges, but when, and how quickly will the difficulty level rise.
For those with assets we fear to loose (time,money,posessions,intellectual property, etc), it is natural for them to be saught by others. Having a public wiki is valueable advertising real-estate (or a personal repository for globally accessible content). So grafiti, being merely a primitive form of marketing, is bound to happen. Bank accounts are an obvious point of content.. If you happened to come across money on the street, you are more than likely to take it. If your ATM machine started allowing you to withdraw cash w/o deducting from your bank account, there is a better than likely chance that you'll take advantage (anonymous theft when it is considered to not overwhelmingly harm someone else - proportionate loss/gain - is often self justified). There isn't much difference from taking from that ATM machine and taking from an online bank account that you've happened by. Yes there is a greater issue of proportionality (you might be stealing from someone poorer than you), but you might think to yourself (I'm teaching them a lesson).. What-ever the cause, an otherwise moral man may find themselves tempted.. To say nothing of the mafia.
And ultimately organized crime is the tyrannasauras of our internet age. The mafia being only one form of it (unfriendly governments being an even more serious threat). The age of mafia and internet "WAR" (literally between nation-states) is only a matter of time.
So if our "evolution" through natural selection and adverse environment does not "toughen" us enough to sustain such natural phenomena, then we will die (or at least the medium will die).
So lets look again at these "evil" hackers. Many of the hackers were self-professed white-hackers, or anonymous exposers. If you are inclined to see if a WEB-INF directory or IIS-specific file-set are visible on a public site, you can either email their sys-admin who might sue you for hacking, or simply ignore you (like MS tries to do with serious security alerts so long as the general public is oblivious), or you can make it a priority for them... Deface their web site, delete lots of their database records.. Make it too expensive for them NOT to resolve the issue.
These are altruistic people. Slightly less altruistic are those that advertise themselves 3l33t hacker-names advertised here and there. As they have the fun and recognition-factor of it all (especially if they get CNN coverage).
Embrace th
-Michael
The right to be left alone is indeed the beginning of all freedoms. -- Supreme Court Justice William O. Douglas
s -bio.html
http://www.writing.upenn.edu/~afilreis/50s/dougla
"They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
Wait, don't a lot of world governments do that too?
pi = 2*|arg(God)|
If you'd RTFA you'd see that he blames all the appropriate parties. Go RTFA.
happy => gay
homosexual => deviant
closet-case => priest
Yeah, go on. Mod me -1. I've got Karma to burn, and if you're so easily offended, perhaps you should turn your computer off. This is a humorous post to demonstrate that words change over time and the OP should learn to deal with it or move to France (where they have a department to try to keep the language pure).
I don't find this part of the interview all that exciting. What I find interesting is that this guy doesn't consider non-deterministic methods at all. Going back to his example of securing a corparate network: sure setting all the trust relationships by hand is next to impposible. But imagine the following scenario: all of a sudden Bob's computer starts talking to Jane's PC, after days of no traffic between the two. Doing some statistical testing this could be noticed to be highly unusual and the communication could be denied, or severely limited. This would do a great deal in stopping worms from propagating.
If it's legit and the statistical filter denies it, then Bob will have to call support. But I reckon this is prefferable to having a whole company infected by the latest worm, just because Bob decided to open the attachement "joke.exe".
the legal writer and thinker, pointed out that the "bad man" has just as much reason as the good man to avoid confrontations with the law. "A man who cares nothing for an ethical rule which is believed and practised by his neighbors is likely nevertheless to care a good deal to avoid being made to pay money, and will want to keep out of jail if he can." Holmes thought that all laws should be constructed with this man in mind. Obviously, code must be constructed with the bad man in mind as well. We can lay the blame on the hacker, but is it his fault we wrote bad code?
The whole firewall thing always seemed to be a bit sad to me. There really is nothing that a firewall should be able to do, that a properly designed and configurable TCP/IP stack shouldn't be able to do itself. They really do seem to be a band-aid solution to something that should happen at an operating system TCP/IP stack level.
If you're not listening on most ports, but the ones you are listening on are well behaved, throttled, resistant to malformed connections, a firewall should be so unnecessary.
Love many, trust a few, do harm to none.
Lets face it, they are both similar but also two differant things.
What bothers you more, the well trained hacker who maticulusly hunts out flaws in software?
Or the 15 y/o script kiddie sitting in his room on the emachines box he got last christmas and his friends who loadup a botnet to ddos some server?
ohh, you mean crackers! theres a big difference..
The "bad guys" (don't want to call them hackers because of the debate about that term) are not going to just go away because we give them mean looks and call them poopheads.
...), we will have to do that on the Internet.
There are three types of motivation:
1. The excitement and fulfillment that comes from understanding a system and finding the holes in it, and often leaving your mark so others know you were there.
2. Political and ideological motivations -- a desire to educate people, and punish the "enemy".
3. Economic motivations. This includes both advertising, and theft/scams.
The trends started at (1) and are increasingly moving towards (2) and (3). Ironically, the technology generated by (1) is being used by those whose motives are very different than the type (1)s.
The only way to fix this is to reduce the openness and anonymity of the Internet.
I repeat:
The only way to fix this is to reduce the openness and anonymity of the Internet.
Just as we had to find a balance between privacy and security/integrity in every other aspect of society (e.g. telephones, credit cards,
"The major disruptions now are not caused by simple thrill-seekers."
Please name one serious, high-profile hacking case (to include authoring viriii & worms) in which the perpetrator was caught and didn't turn out to be a teenager or a still adolescent 20 something.
Inside jobs don't count.
I'm sure there must be a few but I honestly can't think of any.
Not to say that there aren't real bad guys out there... they just don't seem to get caught despite all the money thrown at computer and network security.
Speaking as a sys admin for almost 20 years, most hacking has been a source of annoyance (and sometimes amusement) rather than serious damage. The oft quoted "billions & billions of damage due to hackers' is a load of crap as far as I can tell. Kind of ike the y2k bug was.
They don't frighten me. The internet was never designed for privacy to begin with. If that's your aim then paying to "hack in" extra security is the price you pay.
And you know what...? sometimes the cure is even worse than the disease.
I read somewhere recently (sorry, can't remember where) where someone (a security "expert"?) criticized a nuculear power plant's network security by saying something along the lines of "they're so backward they aren't even connected to the internet". Sounds like good security to me.
Security isn't about stopping somebody who wants to be malicious to a system and have fun with that.
.. but don't say we wouldn't want it otherwise. Firewalls are a good thing...
Its about protecting information that you otherwise don't want unauthorized people to have access to. its about espionage, its about privacy. Its about making sure you know if somebody is just looking on your system. Honestly a server can be replaced if it gets fried by some hacker trying to hurt it, and there are backups. But you'd never know if somebody went in and just invaded your privacy and looked at all your things and then left it completely clean right?, not without something like a firewall or some sort of logs and security system set up.
So yeah go blame hackers for making us think of the idea
Who makes you Sig?
Why in the world would he be bitter-- hackers and criminals keep him employed and have made him somewhat of a known figure. I understand his frustration at the lack of real morality in some people, but the bitterness is a bit over the top.
Let's look at it another way-- do you really think Batman would be happy if Gotham (or the world) were rid of crime? What would he do?
Or yet another point of view-- hackers are actually helping the economy. They have created a new market in security which creates jobs, revenue and all the other economic benefits. As Gordon Gecko might say "Hacking is good!"
To expand this a bit-- without crime there would be no need for a police force. Without war there would be no need for a military. What would we do with all that excess production capacity?
*tounge firmly planted in cheek*
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy
How can someone be clueful and clueless all at once... Desire for fun....that did not steal 40 million credit card numbers. Everyone on Earths desire for peace and right to privacy? Tell that to the Chinese who are told what ports they can or can not secure to allow for "public monitoring" This guy is lost.
No kidding.
...rendering locks on door unnecessary.
The goal is to live in a society where you have peace and security, not because you can create a fortress, but because everyone agrees to get along.
Crackers are a problem because crackers have issues. When those issues are addressed we wont have the need to have crap on our computers taking up cycles we could devote to programs we want to run.
Man, this stuff isn't suppose to be rocket science.
Computer criminals and black-hat-hackers are as much a fact of life as rain showers in Seattle, earthquakes in California, flus in winter, and accidents on highways.
...) is very much to blame. In fact, it should be possible to hold liable for negligence.
Security isn't an accidental byproduct of software, it is one of its primary functions; if software doesn't provide security, then it is defective. That's just like if you buy a padlock, you have an expectation that it actually works as a lock. The padlock manufacturer can't say "oh, well, our padlock doesn't work, but that's really the criminal's fault".
Any vendor that puts out software that contains easily avoidable security holes (like buffer overflows, backdoors,
Comment removed based on user account deletion
The problem, as I see it, is that since "software" is such a new concept (compared to houses, locks, etc) that people and society haven't settled on REASONABLE steps to secure things vs. UNREASONABLE steps.
For example, if I wanted to, I could easily break into the average person's home. It just isn't that hard. Does that mean they "failed" to secure it? I would think not.
There is no such thing as "perfect" security. It will always be an arms race between malicious people (or misguided non-malicious hackers) and the people trying to protect their systems.
Now this is just a sad justification and can easily be turned the other way-- If it had been organized crime that started hacking, the governement would probably take it more seriously than it is now, with laws and penalties to match. The tools would have been developed anyway, so it's really a non-issue.
Besides. Hackers have been doing serious damage from day one. Besides just breaking into networks for "curiosity sake" they've been planting worms, trojans, trolling entire credit card data bases, commiting DDoS attacts, etc etc. No, not all of them, but enough to make the OPs point a ridiculous one to even attempt to justify.
You need a FREE iPod Nano
we buy things for their utility. cars, for example, are useful for getting us from one place to another. some cars sell because they look good, some because they are efficient, some are incredibly powerful. But there's not a car in the world that's sold to consumers because it's hard to steal.
the car makers make a half-assed attempt to secure their cars, they install door locks and alarms. But they know that car thieves will always figure a way around their security measures. If you want more protection you buy add-on services (A more threatening alarm system, a private parking space, GPS tracking, etc...)
Some things come with no security at all. Jewelery, collectables, sports equipment, children's toys. With little Billy gets beaten up and his new backpack is stolen, his parents don't demand that the backpack makers improve the security of their product.
So why should we expect software to be different from every other product we buy? We buy software because it performs a useful function. If security is a primary concern then you shouldn't have a problem paying more for a system that does less but is more secure. Or perhaps you can take extra security measures, beyond the software, to ensure the safety of your data.
But to blame software manufacturers for their products lack of security is foolish. If you don't want to blame the actual criminals, then blame yourself for under-prioritizing your data's security when you purchased your software.
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
Who wants peace? Nobody, or else we would act consequently, which we don't, as a world.
Is this a critical series of computer security books?
Maybe not where you live. If you don't have bars on your windows in some places then yes you will be told shame on you.
Wow, I'm not sure if I want to read the article.
Ranum: "Sometimes, patience is a terrific strategy. Wait and see what happens to the early adopters. If they're all getting hacked to pieces or spending tons of money on patches and upgrades and fixes to the stuff they bought - then it's not ready, yet."
Yeah, he thinks the hackers are all to blame, but loves the fact they expose real problems.
So, what was his point about hackers, again? Everyone should share the blame, but its still all the hackers fault?
Isn't there a drug that fixes the inability to express coherent ideas?
"We are all geniuses when we dream"
- E.M. Cioran
Is what this guy saying profound, or even useful?
If I went around pointing out that it's the fault of those damn CRIMINALS that our society has to spend all this money on POLICE... well if someone came up to me and said that at a party I'd go looking for more interesting conversation.
You, know, it's those OTHER NATIONS that cost our society the expense of having an ARMY! Um, yes, dipshit. And it's GRAVITY that makes it so damn difficult to freakin fly. That's the way the world works.
"Truly, the only people who deserve a complete helping of blame are the bad people. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun and/or profit ahead of everyone on earth's desire for peace and the right to privacy."
Is this a little pointless? The fact is that complex systems (not just talking about computer systems) are rarely going to be perfect and bad people will always try to exploit the exploitable for their own gain. Is there any point in complaining? There will always be bad people, there will always be exploitable systems. Why whine? The hackers validate and keep alive an industry and frankly I think that it can be enjoyable on both sides.
Whining won't get rid of bad people and won't fix the Worlds exploitable systems. The arms race will not stop. I see hackers on both sides as being a necessary evil and I respect hackers for their talent, regardless of what side they are on.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
-Death is still the #1 killer of all living beings on earth.
...I could go on for hours.
-Criminals are to blame for 100% of crimes committed.
-Toaplan is responsible for all of the "all your base" sightings.
--- sig moved for great justice.
If hackers are doing it to have fun, the effect is that they are pointing out holes in our security and helping us patch them against spammers, terrorists, thieves and other true evildoers.
Those who hack for fun should be encouraged and rewarded for coming forward with information. When they present a great hack to the public, say, getting into a bank database or the government, they should be announced nationally and given a fairly large cash reward--These people should be revered, looked up to and publicized much more then some basketball or football player.
This would also discourage them from trying to profit from their hacks in more devious ways since that would completely negate their accomplishments and get them thrown in jail instead.
By the way, I am not a hacker (in this sense), nor am I a kid any more, I'm not defending anything I've done, I just think we have a pretty messed up way of looking at things sometimes.
A millionaire got robbed because he had left the front door open. Crazy guy, isn't he? And... here's Mike with the weather.
Does the bad element drives the good to become better
- its survivability
- its innate strength
- its goodness?
Many a themes have been played out on this before, but I have not read much discussion about it. Not much fromIt's a sad thing that the poster of this choose to take that particular quote out of context. If you read the article Marcus puts blame at the feet of everyone in the process of building security.
-- Ecks
I believe his placing blame on hackers is accurate, though it doesn't excuse companies from securing their systems so hackers can't get in. If it weren't for hackers' lust for infiltration of systems they know people rely on, if it weren't for hackers' selfish desires for publicity and duplicity, if hackers would actually respect other people and their right to privacy and not violate the consumers' trust in the caretakers of their data, we wouldn't have a NEED for these security measures. There would be no reason to suspect someone of theft, of having anything but expectations for moral/legal intentions for others' interacting with these systems. "Hackers" shouldn't exist (what they do, not the people themselves), they should just be other computer-savvy consumers who respect others' rights to privacy.
Envy my 5 digit Slashdot User ID!
No one is defending the virus/worm writers. The security holes that virus/worm writers are taking advantage of are defects in the software. You wouldn't accept it if GM sold you a car that would unlock the door if you removed one of the hubcaps, nor should you accept software that doesn't bother to check the validity of input. All software should be run in "taint" mode.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
the foreign intelligence services and other spy types that are interested... oh and the Chinese Cyber Warriors... Oh - Organized crime is on the rampage such that the Feds miss old fashioned hackers. And Spammer botnets, and so on. Yep, way to blame those poor Stereotypical H4x0rz to get your name in the press yet again.
"Omnis tuus capsa sunt inesse nos"
"... earth's desire for peace and the right to privacy."
Last time I checked, and I could be wrong, but so far I have yet to find any contract or constitution of a nation that secures Privacy as a right. Here in the USA there is no Federal right to privacy, several states have privacy mesaures but those laws are about securing information gathered more then preventing it from being gathered.
-=[ Who Is John Galt? ]=-
Technically his statement is correct, however prima facia, its a foolish one. As its been said elsewhere in the comments it implies that if it were not for 'hackers' systems would be 'safe'. However as is the case with companies looking to cut every conceivable cent, there would be no security otherwise. "Why bother locking the doors there are no criminals to steal my possessions!"
This sounds merely like an argument for altruism and security thru obscurity (which of course doesn't work). Why would a company try to harden against problems, even if caused my a mistake, if there is never any pressure to think there would be a need?
Would a civilization wonder if there is anyone else out in space if they can see no stars? Problem is without external pressure, people get sloppy. Of course people are sloppy to begin with. Imagine the extent of the credit card problems we have seen in the past months if there was no security at all? Its a poor argument really.
You do have to consider how it scales to the corporate world. A thief may spot an easy target in the home and steal something, just like a hacker spots an easy target on the Internet and plants his software. The cop tells you, "Put a better lock on that shed" and the ISP tells you "Install a firewall". However, you wouldn't expect a theif to have an easy time walking into a bank and walking out with a bag of cash so why would anyone expect a hacker to have an easy time breaking into a corporate system and stealing personal information? The amount of private information stored and the financial impact levies a greater burden of responsibility on the bank/corporation than it does the individual.
The grandparent and parent both touch on something important. The vandal/repairman example comes straight from Hazlitt and is indeed an old fallacy. People see the new improved and rock-resistent glass and they say 'now that's progress'. What they don't see is the resources the shopkeeper had wanted to purchase with the money that had to go to the new window. The shopkeeper could have spent that money to become more efficient or expand. Or as in Hazlitt's example, bought a new suit. Then the tailor would have had more resources to put into play.
The window repairman, much like the parent poster, probably thinks rock-resistant windows and proxy firewalls are an excellent investment. When we look at the long list of technologies that changed the 20th century, many/most were developed at least in part to help wage and defend warfare. One might deduce that warfare is a creator of value. Yet war is always a destroyer of value. It is the allocation of resources that could be more suitably employed.
A lot of hackers have "fun" causing other people pain. It's weird, I've never quite understood how that actually works, but I've met plenty of people who just experience joy at doing damage.
Some hackers/crackers have miserable lives. It is not uncommon for miserable people to find comfort in the misery of others. It's like the nerd version of a bully, they believe they have elevated themselves over someone else and are no longer at the bottom. Now add in anonymity and the bully feels even free'er to act, think of the bully who gets to put the white sheet over his head.
I'd be able to take you seriously if you weren't one of those people who constantly spend their time thinking about how they blame something on the "current administration". Take 5 minutes out of your life to think about an issue without doing it in the perspective of 'how can I use this to bash Bush'.
The tripe is really getting tired.
And there have been thousands of instances of nations like Korea, China, Iran, and Syria staging attacks through computers. Why don't you hear about it? Let me ask you something. What law enforcement agency do you call when you find out your server has been compromised from an IP based in Pyong-Yang? I didn't think so.
Evolve or disappear.
Who do we blame if we leave our house door unlocked. Do we blame the intruder or ourselves for being so trusting. In a perfect world, we could trust everyone we see. hahaha. wake up charlie!
As I recall, ranchers typically put a mule with sheep. Predators are less likely to attack because of the mule.
Can't open source work as a mule to help the "sheep"? Firefox is popular because is less exposed than IE and it's great that it's getting exposure.
If there was some sort of easy to use firewall for the non-XPSP2 crowd ( a quick Google lists a few). Let's get some of the advocacy (and deveopers) behind it that worked so well for Firefox. If it works well, people might even consider going fully FOSS for their next computer.
SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better: Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
:)
They're also the ones giving you a job
Now then, Dmitri, you know how we've always talked about the possibility of something going wrong with the Bomb...
Let's set the record straight: "Hackers" refer to those of us who do wonderful things with the hardware and software. "Crackers" are those who seek unwarranted entry into other people's systems, usually for malicious intent.
I am a born bonafide *hacker*, and have been so for the past 27 years. I, on the other hand, am NOT a *cracker*, and I would like to see them on the business-end of a (insert your favorite weapon here). Recovering from the damage crackers have caused me and others is no fun, eats valuable time, and forces me to focus on things that are not productive, but necessary to keep them out.
Ruby Neural Evolution of Augmenting Topologies
Comment removed based on user account deletion
Thought I'd mention a bit of history (long since forgotten) that Marcus Ranum was also the author of the UberMUD and UnterMUD, mud engines. Two very nice mud cores, written in K&R C that ran on Ultrix. Both had their own strengths and weaknesses. UberMUD was my favourite, as it had its own scripting language called "U". UnterMUD didn't so it was harder to develop on, but its filestore backend was much smarter than Uber's. A union of the two would have been the perfect MUD engine IMO.
I mean sure...the crackers DO cause all the problems, but you have to develop a system that allows for the existance of the inevitable. Yeah, communism is a great idea, but unless it can be modified to account for the fact that there will be people trying to leech off the system, it won't go very far. Similarly with computers: it's a bit foolish to complain that we wouldn't have to have information security if we didn't have all those darn criminals cracking our computers. There will always be people who want to leech because they're selfish, and there will always be criminal crackers. Part of running a society, or a computer system, is making it resilient to those that don't follow the rules.
The criminal, on the other hand, is still a criminal in this scenario because he violated the owner's house/car/computer, and no plea of "trying to protect by demonstration of vulnerability" is possible. In other words, breaking and entering is never a "favor" rendered.
When you buy a product, you expect the same due diligence in quality, truth in advertising, and utility of the product. If the producer deliberately produces an inferior product, lies about it, or if it does not live up to its utility, that producer may be subject to at the least, ridicule, and at the most, financial or criminal liability. On the other hand, someone who deliberately breaks a product has a reduced, and probably no, claim against that producer.
A hacker who draws attention to a weakness in a product may actually be a hero; however, one who deliberately breaks things or breaks into places without permission is nothing more than a criminal.
And per basic logic: what is the simplest explanation for why for the last two years worms have been sucking data off hard drives and transmitting it to various east asian countries? Lot of curious teenagers sitting around over there just dying to read American powerpoints?
sPh
Yaa, right....us, us, our? Our systems? Our systems? I guess if I go in to the Fortune 100 financial company I work for, I can just start taking "my" Sun Enterprise 4900s out the door and back to my house. After all they're "our systems", aren't they? What a load of crap.
I know people like Marcus Ranum, who I personally think is an ass, and my employers try to encourgae me to think that the systems I work with are "my" systems so I'll take care of them more. Sometimes I even buy into that on some unconscious level, as I'm protecting them from users pushing the load average up to ridiculous levels and so forth. But ultimately they're NOT my systems, they belong to the majority shareholders of the corporation I work for. A Federal Reserve survey says 42.2% of the outstanding stock in this country belongs to the wealthiest 1% of Americans, and with the Gini coefficient being high, I know the control over the machines I work for rests with a small elite, not with the people who work on them, who create wealth from them.
Everything else Ranum says is BS as well...I'm not paying to secure my corporation, the corporation is. I have a lot of friends who are employed by the computer security business. And he can make all the convoluted "what's bad for Peter is bad for Paul" arguments he wants, the main effect of need to post sentinels to protect from hackers at the cost of billions a year is to keep many of my friends employed. Those billions of dollars are not coming out of my pocket, no matter what kind of convoluted argument he wants to make. They're going into my friends pockets (and Ranum's pocket).
As far as peace and privacy, I'm not the one who decided to put up SOCKS for my company and log everyone going to Playboy.com and whatnot. I'm not the one who decided to read through people's e-mail. I'm not the one using the Patriot Act to see what library books people are checking out. What privacy?
As far as peace, I never wanted war with Iraq. I don't want the US sending billions in weapons to Colombia and other countries. That's real war and peace. As far as peace for systems, I'll go back to what I said before. Most hackers (hackers, not script kiddies) attack corporate systems. Corporation owners, meaning the majority shareholders of corporations (not people who have 100 shares and whose proxies have ultimately no say) are a small elite who have control of these systems, who own these systems, who use these systems for their profit. These systems are not even owned and controlled by the people who work on them! They're controlled ultimately by this small elite. So put away your lies that the machine I need my manager's signature on a slip to take out of the building is "our" machine. There will be no peace until the means of production are owned and controlled by the people who work on them and create wealth with them.
Is that "if buildings were built the way software is built, the first termite that came along would destroy civilization"
Can you assign all the blame to the foxes if the henhouse door is left open?
"They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."
I thought that was the government's job?
The internet is a hostile environment, and you would be foolish to enter without using secure software. Either software is advertised as secure or it isn't.
If software is advertised as being secure and you get hacked, you can blame the maker of the software for advertising it as secure when it clearly was not. You can switch to another vendor (assuming that the market is not a monopoly). Or you can remove yourself from the hostile environment until the issues are fixed.
If the software is not advertised as secure, why on earth or you going on the internet with it? Only you are to blame in this case.
I'll probably be modded down for this...
Yet another example of how Marcus Ranum likes to see his own press. Next he'll start pitching how Network Flight Recorder is the top of the line IDS. *SIGH*. I know this is flamebait, but at the very least Security Focus could interview someone with a little bit more of a clue when it comes to security. Stephen Northcutt and Judy Novak for example? It would serve the security community much better if grown-up script kiddies like Marcus just kept quiet. Marcus, there's an old saying that goes.... 'It's better to keep quiet and let people think you're clueless rather than open your mouth and prove that you are...'
That would make them stop.
Or at least, has the wrong emphasis.
Ranum denounces crackers only in the last paragraph.
RTFA! The rest of the article should be modded "Very Insightful!"
I read his "Stupid on Software" article referenced here a while back and it, too, was very insightful. I need to look around and read what else he's written.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Just think of how easy it would be to replace SMTP when we only had under 1 million folks using SMTP.
A correctly written mail transport, one which accurately identifies sending partys, could eleminate most spam.
He's right in what he's saying, but its a trivial and obvious point.
If not for bad people and bad thing happening, life on the entire planet would be better for people.
Yeah..but so what? He's arguing that there shouldn't be rude, inconsiderate people? What can I do with that thought? How does that insight help the human race in any conceivable way?
I'd give him the "Captain Obvious" hat, but I respect the guy too much.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Actually Nature, through evolution, strives to try every possible combination that can be expressed.
I mean; evolution is a blind process, not a guided one. How could evolution know which characteristics will make a being successful in its future?
The answer is that evolution doesn't know, or even care. It produces every variation in reach, so that the ones better adapted to the future are the ones which survive.
So "good" and "bad" individuals keep being "produced". Currently successful social organization seems to depend on a vast majority of mostly-good individuals that are able to defend themselves as an organized group. Remove from them the ability to defend themselves and then the future will belong to the better adapted "bad people".
It's a great interview, he tears a lot of folks a new orifice or two. Focus on just the final short paragraph about 'hackers' and you miss the good stuff.
You may want to start with the first widely publicized case: read "The Cuckoo's Egg" by Clifford Stoll. The perpetrator was caught and didn't turn out to be a teenager.
geek can't get laid, blames women.
Comment removed based on user account deletion
consumers want to blame companies
companies want to blame hackers
hackers want to blame developers
developers want to blame users
users blame whoever the media tells them to blame.
there is some truth to what is being said here. sure early hacking showed the developers they had to pay some attention to security. but couldn't that be done in a controlled environment? why? because that way innocent people wouldn't be put out. there are people losing identities and money because of theives (i say 'thieves' becuase a hack where you steal is a theft - sorry everyone but that's the law).
so continue to point your own finger when a finger is pointed at you but at some point some culpability must be had.
nature loves variety::society hates it get your variety at http://www.monkeypantz.net
By YOUR example, your reasoning is that, if you leave your front door wide open, you're not equally to blame if some dishonest bastard walks in the door and steals your stuff.
No. Breakins are going to happen. PERIOD. Understand this. Lock your door.
And stop bitching about the effort it takes.
Chas - The one, the only.
THANK GOD!!!
...make my CISSP totally worth it!
Get over the last paragraph, morons, and RTFA!
It's FAR more insightful than any of the comments I've seen bitching about the "blame hackers" paragraph - which was preceded by "blame everybody else" sentences anyway.
You guys sound like the big media press whenever somebody gets caught faking or running false stories - "Oh, woe is us! Somebody is blaming us for being idiots! We're such a poor, put-upon industry!"
Deal with it!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
At the time (1983) the media learned to use "hacker" to describe computer intrusion, it was the correct term for such, and alternate terms such as "cracker" had not been coined. That there were other meanings to "hacker" has continued to escape them... or at least, they don't give a damn. But compaining about it, and trying to insist that the media should use the term "cracker" instead, is trying to close the barn after the horse has left.
Mind you, I also thing "cracker" is a bad choice if you really want to get the media to change terms. I'm a fan of Vernor Vinge's work; his book "Marooned in Real Time" included a cracker character who had been "head of Systems Penetration and Perversion at USAF, Inc." I think "systems penetration and perversion" nicely describes most of the scummy activities the media classes as "hacking", including but not limited to virus writing; deployment of spyware, adware, and trojan backdoors and rootkits; and WAR3Z cracking. Thus, the obvious term for a perpetrator of such is a "pervert."
Sex sells, so there's a better chance that the media will pick up this usage than the uninteresting (and too similar sounding) "cracker". It also allows for nice shadings of morality involved-- EG, breaking into systems you actually own might be categorized as "kinky". Adopting this term would allow us a much more comprehensive metaphor space for describing such activity... not to mention expanding the wide range of abusive insults that can be applied to those who commit such crimes.
Of course, I'm a lone weirdo, so I doubt such usage will actually spread. Still, it would be nice....
//Information does not want to be free; it wants to breed.
If it weren't for hackers, everyone would still be using electric typewriters and filing cabinets.
Hacking can be malicious, it can also be purely benign.
Honestly, the heaping helping of the blame in this situation lies with the software company that distributes it's OS without a proper security model, bad default permissions, and terrible user discipline built in.
Take away that hoary old VBASIC exploit, and the script kiddies disappear. Encourage good user discipline and use sensible permissions, and important files are less vulnerable to attack.
The problem is that this unnamed company has lowered the bar for what can be considered a hacker. If you can work a browser and download some VBASIC scripts, you're in. Unfortunately, their marketing depatment is tip-top, so now the vast majority of the end-user/workstation market is using very vulnerable boxes.
Used to be that you actually needed to know a little something about the mysterious inner workings of the beige box in order to get in, let alone cause any mayhem...
To continue with the house/lock analogy that many folks here have been using, if the contractor builds you a house without one wall, and tells you houses are supposed to be like that, in fact it's an advanced feature to make your house more hoeowner-friendly, and somebody walks in one day and takes all your stuff, who is to blame?
It's partly your fault for not bothering to find out for yourself if missing an entire wall is supposed to be a feature of quality home contruction.
It's partly the fault of the person who stole your stuff, because that was a jerk move.
But it's mostly the fault of the home builder for constructing and delivering a product that made theft inevitable, and then convincing you it's a good purchase.
He's the one who pocketed a pile of your money for an inferior product, all the while claiming that it was the most superior product on the market.
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy.
(sigh) sounds so familiar...
There is a point (and anyone who has ever done ANYTHING wrong knows that point) where you know when you are doing something wrong.
Come on, how hard is it to walk into a candy store and leave with a candybar without paying for it. The point is, you know you did something wrong. You can blame your parents for your upbringing but you know who is at fault.
I am not saying that the bank executive who keeps account numbers on a laptop in a standrad spreadsheet isn't to blame when that laptop is stolen and the accounts are drained. Sure, he has to carry some of the blame. But the person who stole the laptop is really the criminal here.
Blame isn't given out in black and white, it is shared. Breaking the law however, is black and white. You are either guilty or innocent. When you knowingly pass that point, you are guilty and must accept at least part of the blame no matter how easy it was to commit the crime.
There will always be more than one person to blame for everything. He is right in placing blame on the hackers but there is obvisouly more responsibilty involved in computer security. The "blame" is truly shared by all parties involved.
Hackers arm the very people they should be trying to suppress. Its really dishertening. Not all do I know. Some (the good guys) are giving them nettles!!. But there really is too much loose morals these days. Allot of it comming from East of the Caucus (Yural?)mountains unfortunately. There are many Russian black hats. Make no mistake - they are not the hackers you see in the movies. They are dirty seedy people that would sell their mothers for a quick buck ....
Even as a liberal, I find I have more and more admiration for DRM and anti-distributed networks. Maybe the black hats should think about the long term damage they are doing. The are arming the very people that make them have to hack and hurting the very people that would want them to have a fair chance.. : ( ..
Nobody is expecting people to have computers comparable to fort knox. They are expecting them to have computers comparable to a house with a locked door. There are literally thousands of assholes out there running old, known exploitable windows/IE/outlook versions, who refuse to upgrade. When told that they can get hacked their response is "so, I have nothing important on my computer anways". Locking your door isn't hard, and that's all we expect from you, don't pretend we're asking for anything more.
What I really find interesting about this Thievs/Hackers analogy is that you never hear people telling the victims of Theives that they should have had three deadbolts on the door, or saying "shame on you you don't have bars on your windows, of course you'll get broken into."
You must live in an awfully safe place.
First off, just about every cop who responds to a breakin where security measures weren't taken says exactly this.
Secondly, if you live somewhere this is at all likely to happen (most cities, lots of suburbs), I would say something similar. You have to take appropriate measures for your environment. In a rough part of town, if you don't have burglar bars on ground and accessible floors (that release in case of fire, duh) you're doomed. In other areas, you need more than one deadbolt. Where I live, most people lock their doors at night, but that's about it. Then again, we're a little farther out, and most everyone has dogs, and guns, and notices who's in the area.
Truly, the only people who deserve a complete helping of blame are the hackers.
Absolutely! and bad people are... -ahem- bad! All bad things in this world are solely due to these people who are.. bad!
He was being sarcastic. Please submitters: RTFA. This interview was a great read, just don't turn it into something it's not.
This sig is intentionally left blank
they're also the ones that keep you and I employed.
But if they weren't keeping you and I employed we could both be employed doing more productive things.
in both cases the correct grammar is "you and me", not "you and i".
I mean, sometimes the concept of 'blame' is useful because it means you can persuade a morally inclined person to do something that they wouldn't otherwise do, like "don't drive dangerously because if there is a crash it will be your fault; everyone will blame you." But in this case none of the parties really fall into this kind of classification. We have the vendor who is amoral and so only cares about blame as far as his marketing dept does, we have the cracker who knows he's doing the wrong thing already and the user who doesn't take part in the discussion and hence is not going to be influenced by the blame factor one way or the other.
But i guess this isn't compatible with slashdot's binary good/evil worldview.
has anyone actually read the entire article ?
How about "an interesting read" instead? HJ
has anyone actually read the entire article ?
Yes -- I read the entire article.
-kgj
-kgj
>> Please name one serious, high-profile hacking case (to include authoring
>> viriii & worms) in which the perpetrator was caught and didn't turn out to be
>> a teenager or a still adolescent 20 something.
> Um, you might want to check the current news.
> Israeli corporations, including defense contractors, are battling an attack of
> corporate espionage conducted via targeted worms and keyloggers right at the
> moment.
They're under attack from teenagers? How do they know? Have they caught them yet? Or do they have some sort of software which can get their age from their IP address.
This wasn't Fox news, was it?
In that climate, we look to software makers to make reliable products. We want them to be able to withstand the efforts of the rest of the world doing what it is that's natural for them to do. It is not an impossible task.
Actually, it is an impossible task in the practical sense. As the saying goes, the only secure system is not plugged into the net, not turned on, encased in concrete, and dropped in a deep part of the ocean (or something like that). We have to give up a certain amount of security to make things practical. There is always a compromise made, and everybody is going to have a different point they think that compromise should be made at.
To draw on your analogy, you probably lock your house doors with decent locks. If there is a window within 2ft of your door (usually), does the inside of the deadbolt use a key or a handle? Does the lock require two independant "keys", or just the one physical key? Do you have bars on all your downstairs windows? Upstairs? (Heh. Everybody knows windows are insecure.) Can your door withstand a battering ram? Explosives? Where did you draw the line that extra security wasn't worth the cost or inconvenience?
#insert random comment about the US sacrificing civil liberties for security, going the other direction on the compromise.
Most computers are run as administrator, because most people don't want to deal with changing users when they want to install stuff. Many developers don't want to deal with limitted access, so they just force you to be an administrator. Both the users and the developers have made the choice to sacrifice this part of security for convenience. People want to get HTML with active content through email. They don't want to have to jump through hoops to look at neat content on websites. They would like to be able to access their computers remotely without any hassle. They don't want to have to learn digital security just to use their computer.
Now, I would totally agree if you said that programmers can do far more to secure systems without serious compromises (except perhaps to their budget or schedule or lazy habits). It's just that you can only go so far before you have to look at whether it's worth it anymore. You can keep out the script kiddies, but you probably aren't keeping the FBI out if they really want to get in. In between is compromise.
I've always wondered what things would be like today if the blame for the problems the original internet worm caused back in 1987 had been placed on the vendors shipping buggy code (and on very expensive systems). If vendors had to take responsibility for selling exploitable code, which is the real source of this problem, imagine what would have happened when Microsoft decided to play with the big boys in 1995. It is really insane to imagine a world without people willing to exploit obvious weaknesses, or at least it goes against all known history. And the largest exploitation has been by the vendors that continue to take money for broken code.
The people to blame are the ones who have developed this house of techno-cards
/. are too fucking stupid to have read the article. Crist. This guy wrote some good shit and no bothered to read it.
That is exactly what he said. But you and the rest of idiots on
Sadly enough this reminds me of the whole virus / antivirus story that people pointed hackers as the original problem of why we have to invest in product product product. Really the moral of that story is programmers were having fun and it evolved and got out of hand.. then fell into a common ground to people who wrongfully apply the knowledge.
I think instead of placing blame whining about who did what how it occured I think the focus needs to be pointed to the fact that not only does the technology exist for both negative and positive influences but those in the industry can shout out to the fact that a huge chunk of the IT financial claims have been handed out not to a intelligent hacker who was just seeing what was there or a destructive adolecent who wanted to upset someone or a collective company, but rather take a peek at the money spent on fixing someones mistake, or misconfigurations of the simple devices.. someone not doing their job to ensure that something simple as a programming error is not patched properly..
Moral of the story before I rattle on for days... Don't bite the hand that feeds you....
Most people aren't computer savy and some are outright not smart but instead of taking the time to educate the user "no you shouldn't do this because..." we here on slashdot like to insult them with " ooo GAWD you dont know what a firewall is, you fn moron you shouldnt even own a computer".
So unless the person is a prick, help out. If you want to get technical we are all responsible for this mess. Whats worse, not knowing out of ignorance or letting your neighbor stay in ignorance when you very well know you could of easily helped them?
Wow, I'm not sure if I want to read the article.
The original post is whiny and badly out of context, but the article itself is a damned good read.
-kgj
-kgj
I`m tired of MJ Ranum`s self-replicating propaganda... "the inventor of the proxy firewall"... calling him the guy who made people using network flightrecorder vomit in midwalk when he had engineers use a windows control workstation for a security tool, thats probably more right. I thing MJR just thinks of security that benefits dollars. do your homework before you trust a sales ceo.
It's a very dark ride.
I blame you.
In a world without hackers
there would be no need for computer security.
In a world without violence
we would feel safe all the time.
In a world without crime
there would be no need for police, or prisons.
In a world where all beings agreed with and respected each other
there would be no need for the lawyers.
In a world without war
we wouldn't need the tools of warmongering.
In a world without anger
all the art would be boring.
In a world without tension
there would be no incentive for personal growth.
In a world without pain
pleasure would be meaningless.
In a world without fear
we would all be enlightened.
But we are not without those things. We are not perfect. We are flawed, but spiritual beings in the midst of a human experience. Accept that and everything else makes sense.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
sPh
In a perfect world, maybe. But everything in the world we live in is driven by conflict and competition, not the betterment of our fellow man, not the betterment of our world, not even the betterment of ourselves.
Until that changes, war is indeed a creator of value, because it's unlikely that many of those advances would have been made otherwise. All we know of space exploration is founded on advances that were originally made to kill people. Nuclear power came after nuclear weapons.
It's nice to imagine a world where there is o conflict and there is no competition. That world is probably also without technology, however.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The blame should be placed on the destructive behavior of hackers. Those who believe that they're actually doing society a favor are wrong.
Sure, hackers "encourage" us to create more secure systems. And when phrased this way, we see their actions as "good" and "progressive."
But consider this logic as applied to other issues in our society: Criminals encourage us to create better laws. Sexually promiscuous people help us realize the need for better medicine for treating symptoms of sexually transmitted diseases. Thieves create an itch, and better home security systems help scratch it.
See, it's wrong to defend the immoral behavior that leads us down this road. Criminals are not to thank for making this world a better place.
David Appleyard of Shadowcrew was 45 years old when he was busted for trafficing stolen credit card numbers on IRC.
In the year 2156, when the aliens attack, the hackers will have saved us from them because our computers will be safe from their hacks and we will have all these script kiddies who will be able to take down the alien network with denial of service attacks.
Read my short stories - You won't regret it.
We've had windows for hundreds of years, though. Where's the rock-resistant one that costs the same as the original? This "fallacy" is still quite prevelant today. Especially with GE and the light-bulbs that last a lifetime, and the ones that last about a year.
Please name one serious, high-profile hacking case (to include authoring viriii & worms) in which the perpetrator was caught and didn't turn out to be a teenager or a still adolescent 20 something.
Nice, placing the burden of proof on the other party makes the argument much easier, doesn't it?
Anyway, consider "dialers", programs that reconfigure your Windows internet setting to dial in via the equivalent of a very expensive 1-900 number. These programs have a "tendency" to install through some security holes in Internet Explorer against the will of the PC's owner. They caused enough financial damage to warrant a federal regulation. Today a legal "dialer" has to explicitly ask for permission to install itself, thereby presenting the incurred cost. Guess what, there is JavaScript in circulation which clicks OK in this dialog without the user even noticing.
None of this crap has been written by teenage hackers, this is paid for by shady corporations, and they are not caught, because chains of subcontractors have to be tracked through countries you have never heard of.
Second example: in Feb 2004 german computer magazine c't reported a connection between virus authors and spam senders. Basically spammers paid for the ip-adresses of "owned" PCs and used them as spam drones. (German article)
Don't tell me all this happens for fun. It happens for profit.
Without hackers forcing security fixes and encryption technology, our systems would be completely open to the CIA, NSA, Chinese, space aliens, or anyone else who was interested.
It's the same reason Europeans were able to take over North America so easily: disease resistance. They had it, Native Americans didn't.
yup
- sigilicious -
Am I the *only* one who got some of the more significant parts of that rant??
What he's talking about is that most networking software nowadays has the whole kitchen sink built into it. Remember Windows NT, Windows 2000? How many open ports were turned on by default that were not needed? Now we have 2003 and it has about 25% of the ports open than NT. Guess what, it's security is also much better.
He's also talking about ACLs in routers. Most of us don't setup our Cisco's (or whatever) to block traffic on the *inside* of our network. Probably because it's too much management overhead, but it *should* be done. Again, this is a whitelist/blacklist issue, we are only blacklisting, or keeping everything open when it shouldn't be.
How many folks don't do Egress filtering on their firewalls?
I'll admit that I have spyware on my network, but it's not because of the reasons listed, it's due to non-patched software, and the bad guys tunneling through port 80.
Stop talking about who to blame, and look at what do do? Geeze, no wonder security isn't working.
I think it's time to say that that balance has shifted. Most people hacking into others' machines are not doing it for fun anymore.
How can we make this inference? Because hacking is not that fun anymore. Doing actual hacking has become the equivalent of doing petty crime. Anything interesting enough to be fun is probably more of a computer security research problem, and not often actually taken advantage of by the people who work on it.
Old skool hacking groups are giving powerpoint presentations on low-level network technology. What they're actually doing is research, because it's more fun than doing the hacking...
There's always that case of some credit card company or another being cracked going around the news.
-----
"The word is cracker, not hacker! Stupid news media."
Not even the patent office would do that. There is prior art going back thousands of years by fine politicians from countries around the world. In fact I bet blame deflection has been used in their very office! Perhaps even in their own house (Joe is to blame for this)! Could be made into a Dilbert cartoon though.
I did a school report on this. The actual definition of a hacker is one who enjoys working on computers. I'm proud to be a geek; I wouldn't have it any other way. I don't negate others' 'right to privacy'; i don't cause riots. I just enjoy computers and learning more about them.
Show this to your friends and family that don't know what a real hacker is
Gunnery Sergeant Hartman: Jesus H Christ. Private Pyle, why is your footlocker unlocked?
Private Gomer Pyle: Sir, I don't know, sir.
Gunnery Sergeant Hartman: Private Pyle, if there is one thing in this world that I hate, it is an unlocked footlocker! You know that don't you?
Private Gomer Pyle: Sir, yes, sir.
Gunnery Sergeant Hartman: If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?
Private Gomer Pyle: Sir, no, sir.
The first major one, the Morris Internet Worm, is a good example. I mentioned Cliff Stoll in my first post; he discovered an East German spy bouncing off his machines to get to other computers in the US. Are you also intentionally ignoring all the spam being spread by virus-infected machines?
Condescension towards a person -- calling them "a teenager or still adolescent 20-something" does nothing to reduce the damages they can cause, and does not to address why they cause the damage. A huge number of 20-somethings, and some teens, are mature and capable enough to run an extortion racket or resell a botnet to spammers.
What kind of systems do you administer? It's a sure bet that you don't deal with very high traffic services, or you would know better about the damages that attackers can do. There were recent articles on /. about the damages caused by DDoSers against a single online casino -- most of those costs are not paying for the bandwidth, but dealing with lost customers and lost profits (and trying to mitigate future attacks).
Kiddies can easily mount 1+ gbps of attacks, but it is very hard for normal systems to stay reachable by most of the world during such an attack.
It is NOT "hackers" causing all those problems with the internets that Dumbfuck McCumstain so laments. (Yes, I AM being really insulting and offensive to Marcus Ranum! He's been really insulting and offensive towards me and my fellow hackers.)
It is thieves and vandals causing all those problems.
Hackers invented the micro/home/personal computer. Hackers invented the diverse protocols that allowed these machines to talk to one another. Hackers invented the operating systems. Hackers invented the Internet. A hacker invented the World Wide Web.
Thieves and vandals merely took advantage of what hackers have invented and shared with the world. Took advantage and turned these tools to an evil purpose. Not hackers, THIEVES & VANDALS!
So fuck you, Ranum! Fuck you with Bill Gates dick! Fuck you with Monkeyboy Ballmer's dick! Fuck you with the collective dicks of SCO!
Just fuck you in general for your stupid, blinkered, stereotypical "oh, it's those damned hackers causing all my problems!" bullshit.
Strongly worded comment to follow!
Guaranteed! This comment 100% Anthrax free!
When we look at the long list of technologies that changed the 20th century, many/most were developed at least in part to help wage and defend warfare. One might deduce that warfare is a creator of value. Yet war is always a destroyer of value. It is the allocation of resources that could be more suitably employed.
You have a great point, but it's not the whole story. A broken window to fix is very clearly a productive use of resources to improve the "order" that was destroyed by its being broken in the first place. If the window hadn't been broken, then the repairman would not have had the business. However, if left without a clear task like that, humans waste resources all the time. Take drinking or overeating for example. While they do support farmers/etc., they also produce waste (I won't remind you in what form) that has to be dealt with.
So, I agree with you, but I don't think things are as black and white as you put them.
I just hate seeing this Canard all the time. Regardless of whether you are wrong or right about gun control, you need some facts about gun ownership in Switzerland.
1) Guns are highly controlled in Switzerland,
the gov't can and does do random intrusive searches, checking for agreement to the gun laws.
2)There are mandatory yearly inspections with Stiff penalties.
When was the last time the police showed up at your door and conducted a search to check that you had a supply of emergency food & water, and had your guns properly locked and your ammunition properly checked and that you had passed your mandatory gun proficiency tests?
When this is the situation in the States then you can argue that guns have nothing to do with this stat. Switzerland has Gun control. If anything the situation in Switzerland is is an argument for Gun controls.
Guns don't kill people, it's idiots with guns that kill people.
after my system got pwned!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
alot of other exploits are the equivalent of using a crowbar to break your windows. Thieves get serious jailtime and the police work to find them and they are considered the only ones to blame.
Again, you're under the mistaken assumption that the police have some obligation to protect you. If someone breaks into your house, shoots your children, and the police don't show up for an hour and a half... well, just try blaming/suing the police sometime. You'll find there is no part of the constitution or the law requiring the police to protect you. That's why you have the second amendment. You are expected to take care of yourself like a big boy. Sure, ultimately it's the fault of the criminal that broke into your house, but your kids are still dead. Having the criminal prosecuted and locked away doesn't change that.
In short: If you want security, buy a system that has a good track record on security. Pointing fingers isn't going to make you more secure or make the hackers go away. Death and taxes are inevitable, and life isn't fair.
are a (ilegal) media downloader, in that case, you are considered almost a "terrorist" by the RIAA/MPAA and get sued and jailed waaaaay more than if you steal a CD at a music shop in real life!
So, although its true the users shouldnt have to keep their own stuff safe (coz, ideally, its private and no-one should ever touch it without permission), they must, just because there is Evil People (tm) out there, you know? And not necessarily they are hackers, there is also a lot of scripty kiddos and all kinds of perversed companies that in the search for revenue sell their morality and ethics to the best bidder.
no sig
They're the ones who are responsible for companies needing to buy the software that the company who employs me produces... thus giving me a job.
To the hackers:
Though you annoy me... my lifestyle thanks you.
While the concept is correct it misses one very important part of reality: people don't act on what is their best interest, only on what they perceive as their best interest.
The difference is important in that sometimes the destruction of an old item by an outside person-group, will force people to change items or processes. People hold on to what is familiar way past when it would've been beneficial to switch to something new. In this sense, war can shift perception and motivate people to perform more than they would've without it.
WWII is a prime example: Could we theoretically have gotten the economy going without the war? Obviously yes.
Was it likely to happen? No, people were too entrenched in their current position psychologically.
So, the point, if there was one, is that war, while an allocation of resources that could be more suitably employed, can also be a spark to start the fire in the forge.
I am not in anyway affiliated with Max Cannon
I second that hacker comment and want to extend it...
Peeping toms are to blame for all the money we spend on curtains, blinds, and walls. If it weren't for people looking in our windows, we could just walk around our houses naked and never spend money on curtains. But no, these guys had to peep in some peoples windows and now nobody is safe from being looked at.
I think its just fortunate that we don't need locks. I have not had a single criminal attempt to walk in my front door in my lifetime. I've not heard of anyone I know who has had a criminal attempt to walk in their front door. So I say today that we no longer have a need for locks on our front doors. What we have to worry about are windows- we need windows that can't be broken! The criminals always break the windows...
While I do believe most of the other posts covered the major sticking points, the one that didn't get addressed (completely) was the use of botnets for spam, phishing and pharming. If you do anything with customer financial records, you should be concerned about security, unless you actually have a fully physically separate network (separate power, separate network, no firewall or other bridge to a nonsecure network, EM shielding and for christ's sake, no wifi). Whether or not it's valuable to you, it's valuable to someone either for targetted advertising or worse, identity theft.
Oh, and it doesn't matter how old the person or persons, just how much damage actually caused.
I am not in anyway affiliated with Max Cannon
A historical nit: Neither the Securityfocus article nor Marcus Ranum claim to have "invented" the proxy firewall.
Some kid named Kevin Mitnick was poking around DEC's network in the late 1980s, and Marcus built a proxy that shut him out. An overzealous DEC salesdroid heard about it and claimed to DuPont that DEC had this new proxy firewall thingy DuPont could buy.
This was arguably the first *commercial* proxy firewall, but it wasn't necessarily the first one.
Brian Reid of DEC Western Research Labs had proxy boxes running in his labs at least a couple of years before Marcus was asked to boot out Kevin Mitnick. And Sun had a firewall in the works int he late 1980s that they didn't commercialize until much later.
The article rightly describes Marcus as an innovator. His achievements cover not only firewalls but also VPNs and intrusion detection/prevention. But that doesn't mean, and he didn't say, he built the first proxy firewall.
Is it possible to mark a whole post flamebate?
Without attacks and threats we wouldn't bother developing a resilient software ecology. Heck, we're still not there despite mounting attacks. We would only have the illusion of privacy at best.
Security and software is an ecology, and we have to evolve appropriate measure to combat attacks. The techniques are here [1][2][3][4], we just have to deploy them.
[1] EROS
[2] CapROS (EROS development moving to the community)
[3] Coyotos (EROS successor in the research communits)
[4] E: secure, distributed programming language
Higher Logics: where programming meets science.
"They're the ones who are costing us billions of dollars a year to secure our systems against them."
or:
They're the ones who are costing you billions of dollars a year to secure our systems against them, and allow me to buy a few Hummers.
I blame the people that commercialized the Internet. If money was anything but a first priority, we would have had something far more secure than what we have now. The Internet was insecure to begin with. Then it was commercialized, the world was wrapped around it and it become available to anyone. It's like wireless. Everyone, their mother and his brother thinks it's the coolest thing since sliced bread and therefore gets it without thinking of the consequences.
How naive can people be? You have a global, untrusted network available to anyone. What fool actually expects it to be even remotely safe?
People think that NAT and VPN were both improvements in security. And, while in a way they were, the reason that drove their conception was monetary. They were both made to save money. Security was a second priority. Until security is put first, you can forget things getting safer.
You can blame hackers all you want, but corporations are more likely to spy on your than hackers. Corporations have public trust and therefore already have a backdoor to your system.
Is anybody capable of discussing security without arguing by analogy? If you cannot explain your case on its own merits, perhaps you need to rethink your arguments!
You use the operative word there I think - Caught. Just because organised crime is involved doesn't mean there'll be a major name court case, and even if the guys get arrested it might not even be a part of the case. Of the top of my head, an example of this: Al Capone. Multi-million dollar mob criminal, finally brought to court and imprisoned on tax grounds. Try searching the archives for *one* case where he was successfully prosecuted for extortion, racketeering e.t.c - there aren't any. Organised Crime is so because it is successful. Successful criminals *DONT* get caught.
Programming is an Art. I am an Artist. Does that mean I get to wear a daft hat?
Well, the recent non-postal service credit card company leak recently comes to mind. Just because someone is young doesn't mean they don't know how to make a profit. Please.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Marcus seems to have just enough blame to give everyone a little of their own. Not surprisingly, the one group of people who deserve the most blame get the least - security people. Thats right, security people. The loyal citizens of Security are always crapping in your baseball cap about how this thing or that thing is insecure, about how there is a better way to do it. What security people never do is propose solutions, because they are far too afraid that some other bitchy Security citizen is going to poke a hole in their balloon. Security people love to point out the obvious in hindsight, but never advocate anything more novel than last weeks bulletin. Didn't you get the memo?
Well Marcus, YOU should go out and solve the world's virus problem, and get back to us when you have something meaningful to talk about. But to solving the problem would require people to standardize on your solution, a concept you do not seem to believe in. That's OK though, I am sure you will be more than content to sit around and bitch in the meantime. Maybe Ford, Merrill Lynch, and the other Fortune 500 companies will figure it out eventually. After all, they have been so cooperative in the past.
XOXO
On the countrary. It is a common legend among the Chinese that warfare spurred the invention of the paper.
Now, where would we be without paper?
On the other hand, idle scientific pursuit of an immortality medicine produced gunpowder.
Now, where would we be without gunpowder?
My question is simple? Regardless of the outcome or by-products, if hacking into someone else's system moral? This is not a troll. It is an honest question that gets to the heart of the matter.
The grandparent and parent both touch on something important. The vandal/repairman example comes straight from Hazlitt and is indeed an old fallacy.
Did he prove that, or did people just agree with him?
People see the new improved and rock-resistent glass and they say 'now that's progress'. What they don't see is the resources the shopkeeper had wanted to purchase with the money that had to go to the new window. The shopkeeper could have spent that money to become more efficient or expand. Or as in Hazlitt's example, bought a new suit. Then the tailor would have had more resources to put into play.
But now the shopkeeper spend the money on something else and the wheel still spins, who is to say it was worse.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Jeri Ellworth recently gave a talk at Stanford. She hacked on Commodore 64s as a kid, switched over to racing cars as a teenager, ran a computer store for a couple of years, and taught herself VLSI design, which she's used to do things like Commodore 64 emulators. It was a really cool talk, and it was interesting to see somebody who did a lot of car hacking as well as computers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
organized crime is already worse than 'hackers'. Ever hear of spyware? adware?
Sure blame ALL the problems on the teenagers and completely ignore the crime businesses, terrorists, military attacks, business espinoge, etc.
If you can't deal with the kiddies, then you have no chance against the pros.
Democracy Now! - uncensored, anti-establishment news
In other news
Murderers blamed for all murder!
Move along... there is no sig here.
China, Russia and India are making lots of public noise about working together for trade and finance and if America isn't careful, the end result will be that these three countries return the favour to America and bankrupt *it*.
How can that happen? Well, overseas investors are buying less and less US dollars, giving rise to the USA have a trade deficit for 2 months running now - and we're waiting to see what happens to the next month's results. If it continues then the US dollar could be worth quite a lot less, very soon, on the global money market - many are commenting that the slide has already begun and that there are no signs of anyone doing anything to stop it.
You know what they say about assumptions, right?
...if someone shoots a nice fat .44 magnum slug into, it's your fault after all for not employing the latest in body armor?
He invented a proxy firewall comeon
he has made a lot of money probably
all the best security expert should be equivilent to a master criminal.
maybe he began hacking proxie to highlight the need for his product??
To be entirely fair, the conflict is usually over how to make the world better. People rarely fight for things that they think will screw EVERYONE over, though they may attempt to sacrifice one good for another. Now, I imagine that you would hold that most of their reasoning about what would make the world a better place is wrong, but we think your ideas are stupid too, so it all works out. ;)
For instance, I like nuclear weapons. They made a lot of annoying politicians shut the hell up for a good couple of decades. I also go with the old saw coined by Clemens, something to the effect of "the only thing worse than war is the degraded moral state in which nothing is worth going to war for". Besides, conflict and competition is pretty much what created life. If there was no statistical conflict between random assemblies of atoms and self-reproducing molecules, earth would still be a wet pile of rocks.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
Actually, hackers are responsible for fastforwarding security at least a decade.
Without any hacking going on and open publishing of vulnerabilities we would stuck with security a la 1995 now and internet criminals would laugh at the almost non-existant and ignorant law enforcement.
But maby he prefer those days: Anyone could connect to a windows registry and do whatever they pleased, crappy authentication allover the place, buffer overflows, logon downgrading, no personal firewalls allowing worms to roam free, crappy protocols and morons writing and using shitty cryptology.
Whomever this anonymous reader is, he seems to be very short sighted. Marcus clearly lays blame on practically EVERYONE out there. What blame? Well, most of it is just plain dysfunctional behavior, practices, management, development, etc... What I love about Marcus is that almost all his little nuggets of insight are blatantly true. And to add to his credibility, almost all of them are only gained through experience. As security practicioners, let's not play to either "the sky is falling" or the blame game. It's time to look inward, step up and do the right thing instead of perpetuating the mistakes of the past two decades. But first, you need to learn a bit of history here and be technically up to the task such that you can fully understand and appreciate.
I'm not being an idiot.
And I'm not saying the person who decides to go in and steal something isn't to blame. Merely that there's more than enough blame to go around.
Lock your door. If he still gets in, he's still fully to blame.
If you don't lock your door, you're to blame just as much as he is. You may as well just put out a sign saying "Come in and take shit".
Thanks for the flaming AC response, pussy.
Chas - The one, the only.
THANK GOD!!!