Security Hackers Interviewed

← Back to Stories (view on slashdot.org)

Posted by Zonk on Thursday July 21, 2005 @01:49AM from the learning-from-the-blue-hats dept.

An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."

57 comments

Min score:

Reason:

Sort:

In conclusion... by Numair · 2005-07-21 02:04 · Score: 0

"I am the man," says Kaminsky.
1. Re:In conclusion... by tomstdenis · 2005-07-21 02:08 · Score: 0, Flamebait
  
  Bah, he deserves some props once in a while.
  
  He also hosts my website ;-)
  
  Tom
  
  --
  Someday, I'll have a real sig.
2. Re:In conclusion... by sgt_doom · 2005-07-21 03:45 · Score: 1
  
  As someone who was on the scene when John Draper figured out that Cap'n Crunch thing, and usually keeps current - when in the hell did Kaminsky earn the sobriquet of "hacker"?
3. Re:In conclusion... by tomstdenis · 2005-07-21 03:50 · Score: 1
  
  Yeah I asked him over YM... he laughed at it. It's press afterall.
  
  Tom
  
  --
  Someday, I'll have a real sig.
"Blue hat" hackers by tpgp · 2005-07-21 02:04 · Score: 5, Funny

Note to Microsoft

We have more then enough hat colours as things stand.

Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)

--
My pics.
1. Re:"Blue hat" hackers by kwoff · 2005-07-21 02:54 · Score: 1
  
  Yet another embrace-and-extend (YAEE?) by the boys in Redmond.
2. Re:"Blue hat" hackers by Anonymous Coward · 2005-07-21 04:05 · Score: 0
  
  That's small coockies.
  In Israel we have a battle between two politically identified colours with regard to Arik Sharon's evacuation plan (currently under its way).
  Read this story called Summer Color Wars to understand what I mean.
  It's a damn circus.
No, it's not a dupe! by Anonymous Coward · 2005-07-21 02:06 · Score: 0

And they didn't even manage to announce Mornington Crescent! Newbs!
Just like Customer Service by WebHostingGuy · 2005-07-21 02:09 · Score: 5, Interesting

Duh.

Security is a neat buzz word lately. We all "need" to do security, blah, blah, blah.

Security is just like customer service. In order for it to be effective you have to ingrain it in a culture which places it as a top priority. It's obvious that most developers and corporations think of this as an after thought.

Okay, we need functionality x and y. Great, now that we have it ... oh yeah, put a firewall in front of it. What, we were hacked? We had a firewall ...

Just reading the article it shows that the developers were surprised someone can reverse engineer their code; they were "annoyed" someone created a graphical exploit. Annoyed? How about pissed? What about "motivated" to plug the hole. Obviously we weren't there to hear this first hand but it sounds like just an oh well we should do something about this. The article talks about a priority shift. Just another corporate slogan.

If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.

--
Quality Hosting e3 Servers
1. Re:Just like Customer Service by Pulse_Instance · 2005-07-21 02:14 · Score: 1
  
  My company is placing a huge emphasis on security. The developers and testers take lunch at least once a month to try and learn more about a different aspect of security, all of detailed designs are now being designed with security in mind it is no longer an after thought. The testers now test known security holes and are encouraged to come up with new security holes before the products are released.
2. Re:Just like Customer Service by Nytewynd · 2005-07-21 02:17 · Score: 3, Insightful
  
  If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.
  
  That would be followed immediately by "On IRC, 10,000 hackers were recruited to find holes in X Company's security measures."
  
  Security is a concern, but it is mostly exclusive from features. For 99.9% of the features you add, there is a way to make them secure. Unless the feature is to upload and execute random code I guess.
  
  The biggest problem with security is that you can't guard against things you don't know about. Hackers find holes, and then they get closed. It's hard to fill in a hole if you don't know it is there. In a way, for every hack that is exploited the fix makes things more secure than they were. Unfortunately there is a window of opportunity in between the finding and the fixing during which your pants are around your ankles.
  
  --
  /. ++
3. Re:Just like Customer Service by Effugas · 2005-07-21 02:18 · Score: 3, Insightful
  
  Lesse...
  
  1) Metasploit isn't a graphical exploit; it's a Perl shell, very well done, that made exploit development and deployment a far more reliable endeavor.
  
  2) They're pretty damn motivated -- not perfect, but way more than I've seen any corp. Like I said -- the "intro to security lecture" (people WILL find your holes, you WILL get attacked, etc) just didn't happen.
  
  3) 13 open reqs for just one consultancy I know of that's got security auditing gigs at MS. Yeah.
  
  4) I hadn't made the link between customer service and security. You're completely right about it needing to be a cultural element.
  
  --Dan
4. Re:Just like Customer Service by Sheepdot · 2005-07-21 02:37 · Score: 1
  
  If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.
  
  The problem with this is that of the 1,000 employees, about fifteen, or 1.5% will be knowlegeable enough to find actual exploits or vulnerabilities.
  
  Because of this, about 95% (3.5% stick around to "manage" the 1.5% that do the work) of those employees will eventually lose their jobs, especially at companies like Wells Fargo and MBNA, where news stories drive public releases (PRs) about hiring X # of security people and then not issuing a PR when you turn around and fire 7/8 * X # of them over the next two years.
5. Re:Just like Customer Service by WebHostingGuy · 2005-07-21 02:38 · Score: 1
  
  1) Metasploit isn't a graphical exploit; it's a Perl shell
  
  I guess I was referring to this:
  
  "Version 2.3 of the Metasploit Framework includes a web interface"
  
  when I meant graphical.
  
  --
  Quality Hosting e3 Servers
6. Re:Just like Customer Service by WebHostingGuy · 2005-07-21 02:44 · Score: 2, Interesting
  
  The biggest problem with security is that you can't guard against things you don't know about.
  
  But this is the point. How can you secure code when you don't actively audit it? The reason why there are 10,000 holes is that companies don't have the mindset of features + security = release. It is first develop the features then release. And after the fact add security.
  
  It will take a huge culture shift to get that the concept that in order for programs to be secure they have to have security built in from the ground up, not after the fact. If you don't do it this way then you get a fix opening another problem fixing a problem. Build in the security first and you don't have this problem.
  
  In order to do it this way you need to change the way people program. And in order to do that you need some external or internal motivation to do so. And honestly speaking I don't see that yet. Maybe another 40 million credit cards need to be released.
  
  --
  Quality Hosting e3 Servers
7. Re:Just like Customer Service by Anonymous Coward · 2005-07-21 05:07 · Score: 0
  
  I've been at places like that in CERTAIN government organizations. The one I'm at now is called...well, I shouldn't say. Hint: It's big. And it's all about security for the home^H^H^H^Hfatherland.
  
  Anyway, they have a security group. These geniuses come up with recommendations like restricting root's access to the production servers. Or locking out the DBAs from Oracle. Stuff like that.
8. Re:Just like Customer Service by Tony-A · 2005-07-21 07:40 · Score: 1
  
  The biggest problem with security is that you can't guard against things you don't know about.
  
  Sounds reasonable, BUT.
  The entire purpose of security is to guard against things you don't know about. Otherwise it's too much like Monday morning quarterbacking.
  
  Finding holes is not particularly difficult. Just use it in unexpected ways and look for unexpected results. Closed source is pretty useless as a defence. The attacks are based on what the program actually does. The source shows what the programmer thinks the program does. Any difference and there is potential for bad things to happen, and security holes are far from the worst things that can happen.
9. Re:Just like Customer Service by evenprime · 2005-07-21 09:54 · Score: 1
  
  Hey, Dan
  
  Congrads on the good press coverage. :)
  
  Joey
  
  --
  
  "Weapons should be hardy rather than decorative" - Miyamoto Musashi
  I think that goes for OS's too
10. Re:Just like Customer Service by Effugas · 2005-07-24 18:00 · Score: 1
  
  Wait, which Joey is this???
11. Re:Just like Customer Service by evenprime · 2005-07-28 04:08 · Score: 1
  
  Wait, which Joey is this???
  
  This one:
  http://seclists.org/lists/bugtraq/2000/Nov/0322.ht ml
  
  --
  
  "Weapons should be hardy rather than decorative" - Miyamoto Musashi
  I think that goes for OS's too
Security and its ways by michelcultivo · 2005-07-21 02:29 · Score: 1

Security is the last modism from the vendors, like terrorism is on our world today. We have a lot of products that "protect our networks", a lot of guys that keep on telling that "you need security". But you can see that all the people always says the same thing.

--
http://www.michel.eti.br
On the Dan Kaminksy Interview by ehaggis · 2005-07-21 02:30 · Score: 2, Insightful

I am glad to see that Dan did not kowtow to MS despite being a speaker. MS cannot smoke and mirror us into believing the "Windows is secure mantra" by merely providing good, believable speakers. His comparing apples to apples was also a jab at the MS statistical spin machine.

--
One ring to bind them - should probably have more fiber and less rings in their diet.
Blue Hat? by Anonymous Coward · 2005-07-21 02:45 · Score: 1, Insightful

"(Hackers are) not just a bunch of disaffected teenagers sitting in their mom's basement. These are professionals that are thinking about these issues."
--Noel Anderson
Wireless networking
engineer, Microsoft

I can play both of those, a single-forty-year-old woman, a fresh-out-of-college jerk, a recently-made-available celebrity, a professional weatherman with agrophobia, or even an FBI/CIA/NSA agent with a hardcore case of "the powertrip", and you'll never know the difference.

So why bother defining me? To humanize my actions? To make me feel threatened and exposed?
Who is this clown? by fdiskne1 · 2005-07-21 02:46 · Score: 3, Interesting

The interview with Dan Kaminsky, while heavy on the car/computer analogy still comes across as "okay". He provided some insight into what happened at the "Blue Hat Hackers" meeting with Microsoft. The interview with Richard Thieme left me awestruck. He is a spittin' image (interview-wise) as Jon Katz. Lots of buzzwords that didn't provide any information or insight. I feel as though I was a security expert forced to listen to a marketing person tell me why he is a security expert. That was painful and I'm not a security expert.

--
But why is the rum gone?
1. Re:Who is this clown? by Anonymous Coward · 2005-07-21 03:56 · Score: 0
  
  Dan Kaminsky knows his shit, google him and read his work.
  
  Richard Thieme interview was about how he got into the biz, so naturally it was about his personal successs.
  
  No your not a security expert.
2. Re:Who is this clown? by wild_berry · 2005-07-21 04:33 · Score: 2, Interesting
  
  I rate highly Thieme's words on his site (Thiemeworks.com and his comments at Islands in the Clickstream), but the article linked from here is very hand-wavy and contains too much hot air.
  
  You may have to forgive the guy for continuing to process the world in terms of his religious background: the mystery at the Unknown Other, the power of the symbols we use to communicate Good and Evil, humanity's need for the company of other humans and the need to treat each other person with respect and dignity (although too few religious people hit this last target...).
3. Re:Who is this clown? by Anonymous Coward · 2005-07-21 04:34 · Score: 0
  
  No[,] you[']r[e] not a security expert.
  And you're not an expert with grammar, so what's your point?
4. Re:Who is this clown? by mclaincausey · 2005-07-21 05:26 · Score: 1
  
  Looks like a big flake to me... UFOs on Mars? Not discounting his professionalism or abilities, but... is he like a Scientologist or what?:P
  
  --
  (%i1) factor(777353); (%o1) 777353
Click paranoia by Anonymous Coward · 2005-07-21 03:29 · Score: 0

I gave up reading Islands in the Clickstream a few months after 9/11. Thiemes reaction was way over the top. Freedom and privacy were no longer important to him it seemed. Probably still aren't. Who cares what he says?
You HAVE to LEARN SECURITY by Anonymous Coward · 2005-07-21 03:58 · Score: 0

Russian Woman: I'm from Russia. I did not learn computers until I am here. Now I'm having so many jobs. Thank you, I.T.F. [makes "okay" sign with fingers]

Rafael: You have to learn computers! At I.T.F., you will learn computer things, like: [listed items appear on screen as titles] Computer Wires, Computer Screensavers, Where to Put the Computer, Web, Computer Desks, Computer Downloading, Font, Computer Speakers, Carrying the Computer, Computer Classes, Computer Boxes.
In a monotone voice: by Asicath · 2005-07-21 04:31 · Score: 1

Corporations are not monolithic.
There is no hive mind that can one day change every opinion towards some sort of 'rightthink'.
Microsoft has said the right things about security for years.
Why Blue Hat ? by raulfragoso · 2005-07-21 04:34 · Score: 1

I'm sure that such events would be less boring if the spearkes were nice and wise girls, using some sexy lingerie. And a good name for that would be Black Underwear !
Another problem with metrics... by argent · 2005-07-21 05:02 · Score: 2, Interesting

Another problem with metrics is that you can't "test in" security, and measuring security by the number of failures is really trying to do just that.

You need to look at what the actual failures are, whether the kinds of failures are changing or not, whether there's a common cause to some class of failures and how hard it would be to address that common cause, and whether different systems tend to suffer from different kinds of failures.

Buffer overflows, for example. Everyone gets hit by buffer overflows, there's a common cause, but some of the techniques you can use to address them are easier than others. Non-executable stacks, great. Easy to do, if the hardware supports it, and doesn't have much of an impact on the developers. Changing to a language where buffer overflows can't happen? That's hard.

Code injection by playing quoting games, using '%2E%2E' or some complex Unicode string instead of '..', or telling me your name is '%34;cat%20/etc/passwd;echo%20%34'. Different symptoms, sometimes you can systematically fix them, sometimes you can't. A lot of what people think they know about these kinds of attacks is wrong, and they fix them badly and someone with a name like "d'Artagnon" finds he's a hacker.

Sandboxes. Lots of bad information about these going around. Microsoft used to say sandboxes were a bad idea, too much overhead. I don't know if they still do, but they need to come up with a fully sandboxed inherently safe version of Internet Explorer... the sooner the better. Oh, and Firefox has been playing with fire here too... and Apple needs to quit trying to sandbox dashboard at all and just treat it as another application platform... before they end up with people depending on a sandbox that isn't really there.

But the bottom line is, all the metrics in the world won't tell you whether these problems are things that vendors should be held directly accountable for, or whether they're the user's responsibility for configuring their systems correctly, or whether it's a third party plugin/cgi/component vendor that's the real problem.
1. Re:Another problem with metrics... by Tony-A · 2005-07-21 08:00 · Score: 1
  
  Counting exploits is too much like traffic cops with quotas, and no incentive to go over the quota.
  
  With that, the nature of open source is find and fix and become a hero.
  Closed source would really rather that exploits not be published.
  
  To measure the relative security, imagine how hard it was to find the exploit. If they're finding low-hanging fruit, there has to be plenty left. If it takes heroic effort, then there are not so many left.
  
  OpenBSD publishes a security patch. Do you apply it? Likely not, since it takes some wierd combination that just doesn't apply in your situation.
2. Re:Another problem with metrics... by Anonymous Coward · 2005-07-21 09:48 · Score: 0
  
  Changing to a language where buffer overflows can't happen? That's hard.
  
  I beg to differ. It isn't a language problem, it is a knowledge and management issue. It isn't hard for a skilled programmer to write good code, it isn't hard for management to hold off shipping the product until the security code reviews are complete.
  
  But most programmers are underskilled, those that are skilled learn to get out of professional coding as the pay sucks. Most managers are cocaine untrained social butterflies and don't know the difference between a mosquito bite and a digital byte.
  
  But until corporate senior managers and users learn to say the dirty I/T word, "no" to scrapware we have to live with the onslought of inferior products and live with the consequences.
New Denial of Service attack on Hat Colors by randyflood · 2005-07-21 05:04 · Score: 1

Enumerate all the possible colors of Hats and file trademarks on them (Purple Hat, Aqua Hat, Green Hat, Pink Hat, etc.) .

Then, write a Perl script that does daily google queries for each color of hat. Whenever someone else starts using Aqua Hat, or Gold Hat or whatever, Write them a Cease and Desist Letter. Also have your script attempt to locate new names of colors. Then automatically generate Trademark applications for those names of Hats as well.

File a Patent application for your Perl Script. Say it is an automated method of generating new classifications of hackers based on a dynamic color model.

Make sure your Perl script uses some trivial form of encryption. Make spurios claims that people who mention things like Aqua Hat are also clearly violating the DMCA by reverse engineering your Perl script to try to steal your valuable intellectual property. Not only that, but they are also viloating your patent.

Then, companies breaking into the security industry will come and buy your trademarked names from you.

--
Randy.Flood@RHCE2B.COM
Red hat hackers by bigredradio · 2005-07-21 06:35 · Score: 1

I know, how about Red Hat hackers! oh wait...

--
Flexible bare-metal recovery for Linux/UNIX
Dear Dan: MS 'security' is bullshit by gelfling · 2005-07-21 06:52 · Score: 1

Seriously, am I the only person who's sick of some public speaking rep from the biggest richest most powerful self professed technically exotic company on the planet snarkily explain to be why something is 'hard' or we're 'getting better' at something.

Dan, MS security is for shit by any fucking metric you want to hurl at it. And no amount of hemming and hawing about hats and China and whatnot is ever going to alter the profound and terrifying reality of that a company larger than the GDP of fucking Belgium can't or won't figure this shit out.

No one cares about your excuses anymore - you've won the battle you own EVERYTHING. So shut up and crunch the damn code that will keep ME personally from getting raped by your sloppiness, inattention, lack of concern or cynicism because I swear to god this is why revolutions happen.
1. Re:Dear Dan: MS 'security' is bullshit by ryanr · 2005-07-21 07:58 · Score: 1
  
  Huh?
  
  You might want to read the artcile linked, which clearly indicates that Dan does not work for Microsoft.
tin foil hat on by oh_the_humanity · 2005-07-21 07:13 · Score: 1

Anyone wonder why this whitedust website is getting so much free publicity lately ? is it some how related to slashdot , or the slashdot editors ? i find 3 stories in a weeks time, kind of odd. they will approve a story about how to track down a fscking mac address, but they wont publish a story about how thousands of SS#'s just got comprised from a USC database.

--
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
1. Re:tin foil hat on by Anonymous Coward · 2005-07-21 23:53 · Score: 0
  
  That's a great conspiracy theory, but sadly well wrong. Whitedust.net appears to be owned by Mark Anderson (whois the domain), and he is the guy who ran the Irish "Hivercon" (www.hivercon.com) security conferences a few years back. The site is privately owned, and as it's tag line points out, independent.
2. Re:tin foil hat on by mubix · 2005-07-22 00:05 · Score: 1
  
  Hm, sounds to me like someone has his panties in a twist because his article got turned down.
3. Re:tin foil hat on by Anonymous Coward · 2005-07-22 00:13 · Score: 0
  
  Is it wrong for a site to have content? Sure isn't any here.
Very creative guy by Anonymous Coward · 2005-07-21 07:17 · Score: 0

Dan's site has a ton of interesting and original stuff on it. This dude knows his bits and bytes.
Well what is Dan upto... by GC · 2005-07-22 01:28 · Score: 1

Got this SYN packet from him with the following data in it:
000 : 48 65 6C 6C 6F 2C 20 74 68 69 73 20 70 61 63 6B Hello, this pack 010 : 65 74 20 69 73 20 70 61 72 74 20 6F 66 20 74 68 et is part of th 020 : 65 20 44 6F 78 50 61 72 61 20 49 6E 66 72 61 73 e DoxPara Infras 030 : 74 72 75 63 74 75 72 65 20 56 61 6C 69 64 61 74 tructure Validat 040 : 69 6F 6E 20 50 72 6F 6A 65 63 74 2E 20 46 75 72 ion Project. Fur 050 : 74 68 65 72 20 64 65 74 61 69 6C 73 20 61 72 65 ther details are 060 : 20 61 76 61 69 6C 61 62 6C 65 20 76 69 61 20 48 available via H 070 : 54 54 50 20 6F 6E 20 74 68 69 73 20 49 50 2C 20 TTP on this IP, 080 : 62 79 20 65 6D 61 69 6C 69 6E 67 20 44 61 6E 20 by emailing Dan 090 : 4B 61 6D 69 6E 73 6B 79 20 61 74 20 64 61 6E 40 Kaminsky at dan@ 0a0 : 64 6F 78 70 61 72 61 2E 63 6F 6D 2C 20 6F 72 20 doxpara.com, or 0b0 : 62 79 20 63 61 6C 6C 69 6E 67 20 2B 31 2D 34 30 by calling +1-40 0c0 : 38 2D 39 33 33 2D 38 31 39 35 2E 20 20 54 68 65 8-933-8195. The 0d0 : 73 65 20 70 61 63 6B 65 74 73 20 61 72 65 20 62 se packets are b 0e0 : 79 20 6E 6F 20 6D 65 61 6E 73 20 6D 61 6C 69 63 y no means malic 0f0 : 69 6F 75 73 2E ious.