Slashdot Mirror
Security Hackers Interviewed
An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."
Ah, I had to do it once.
ian
OH no! someone saying something to ease and assure people... oh crap! i cant believe it... how... how could they...
I love to slaughter the english language.
By Peter Prickett (Thu, 14 Apr 2005 10:57:40 +0100)
As perhaps the first information philosopher, Richard Thieme has become a figurehead among both the cloak and dagger intelligence community and the highly secretive hacker underground. Richard is an institution in the hacker/security conference circuit and his column 'Islands in the Clickstream' is syndicated to over 60 countries.
WD> CNN have called you 'a member of the Cyber avant-garde', Digital Delirium named you 'one of the most creative minds of the digital generation'. How do you handle such praise?
You drop a zero.
When I joined the national speakers association, I was overwhelmed by a gale force wind of other speakers telling me how much they worked, how great they were, how highly paid they were. A friend told me, when they tell you their fee, just drop a zero.
Same thing. I take kind or generous statements like that to mean, "your work was meaningful for me" or "I like that" or "you made me think."
You never believe your own press - good or bad.
WD> How did you initially get involved in technical commentary?
When I left the ordained (Episcopal/Anglican) ministry in 1993 it was to explore the transformational energies swirling around us then as a result of the information revolution. I was asked to write a column about the human side of technology for the Wisconsin Professional Engineers' monthly magazine. After half a dozen had received a good response I offered them by email which was new then. As E.B. White said, it's no wonder how complicated things get what with one thing leading to another. The columns became Islands in the Clickstream which are now a book (Syngress Publishing 2004) and I used the nascent world wide web to locate magazines and see if they wanted social or cultural commentary on the phenomenon. Within a few months I was writing for magazines in America, Canada, England, Australia, and South Africa. I wrote every month for South Africa Computer Magazine for three years. Islands now goes to at least sixty countries.
As I said, one thing leading to another.
WD> What has been your sons influence upon your work and your approach to it?
My dialogue with my son, who was 12 when I bought him an Apple 2 and who has never looked back - has been invaluable. It's the dialogue. I learned to bring to him what I later brought to some of the young technophiles in hacker cons - absolute respect. He was so much brighter than I was about technical matters and saw things so clearly that our dialogue became an important learning space for me. That continues today, and he'll be 35 this year.
Of course that's true of ALL of our seven children and step-children! But Aaron, the first born son, is the one with the most geeky gifts in relationship to all this.
WD> How have your ministerial experiences affected your approach to information technology?
Absolutely. And my immersion in, teaching of, and writing literature the decade before that. I learned to relate the context of our encounters and conversations to ultimate values. They may be implicit rather than stated, but that was always the deeper context. Information technology like print text before it is a transformational engine for human identity and activity. We think and behave differently as a result of the ways new technologies of information and communication frame our possibilities. I learned to do that in a world of writing and text. I saw that electronic communication was changing us and in fact already had changed us (the telegraph started all this in 1820, after all) in significant ways.
Ministry was ultimately about using symbols, particularly powerful archetypal symbols, as transformational leverage on behalf of people who were searching for solutions, resolutions, higher states, different spiritual and emotional goal states. Preaching was like doing a Tarot reading, if you think about it, using symbols of deliverance, healing, and transformation. It stands to reason
"I am the man," says Kaminsky.
Note to Microsoft
We have more then enough hat colours as things stand.
Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)
My pics.
And they didn't even manage to announce Mornington Crescent! Newbs!
Duh.
... oh yeah, put a firewall in front of it. What, we were hacked? We had a firewall ...
Security is a neat buzz word lately. We all "need" to do security, blah, blah, blah.
Security is just like customer service. In order for it to be effective you have to ingrain it in a culture which places it as a top priority. It's obvious that most developers and corporations think of this as an after thought.
Okay, we need functionality x and y. Great, now that we have it
Just reading the article it shows that the developers were surprised someone can reverse engineer their code; they were "annoyed" someone created a graphical exploit. Annoyed? How about pissed? What about "motivated" to plug the hole. Obviously we weren't there to hear this first hand but it sounds like just an oh well we should do something about this. The article talks about a priority shift. Just another corporate slogan.
If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.
Quality Hosting e3 Servers
oh how i yearn for those days of yore...
sigh...
Ydco co
N/T
Security is the last modism from the vendors, like terrorism is on our world today. We have a lot of products that "protect our networks", a lot of guys that keep on telling that "you need security". But you can see that all the people always says the same thing.
http://www.michel.eti.br
I am glad to see that Dan did not kowtow to MS despite being a speaker. MS cannot smoke and mirror us into believing the "Windows is secure mantra" by merely providing good, believable speakers. His comparing apples to apples was also a jab at the MS statistical spin machine.
One ring to bind them - should probably have more fiber and less rings in their diet.
"(Hackers are) not just a bunch of disaffected teenagers sitting in their mom's basement. These are professionals that are thinking about these issues."
--Noel Anderson
Wireless networking
engineer, Microsoft
I can play both of those, a single-forty-year-old woman, a fresh-out-of-college jerk, a recently-made-available celebrity, a professional weatherman with agrophobia, or even an FBI/CIA/NSA agent with a hardcore case of "the powertrip", and you'll never know the difference.
So why bother defining me? To humanize my actions? To make me feel threatened and exposed?
The interview with Dan Kaminsky, while heavy on the car/computer analogy still comes across as "okay". He provided some insight into what happened at the "Blue Hat Hackers" meeting with Microsoft. The interview with Richard Thieme left me awestruck. He is a spittin' image (interview-wise) as Jon Katz. Lots of buzzwords that didn't provide any information or insight. I feel as though I was a security expert forced to listen to a marketing person tell me why he is a security expert. That was painful and I'm not a security expert.
But why is the rum gone?
Something like a grey hat, but after eXperiencing some blue screen of death?
rofl
I gave up reading Islands in the Clickstream a few months after 9/11. Thiemes reaction was way over the top. Freedom and privacy were no longer important to him it seemed. Probably still aren't. Who cares what he says?
Ahhh yeah...
Russian Woman: I'm from Russia. I did not learn computers until I am here. Now I'm having so many jobs. Thank you, I.T.F. [makes "okay" sign with fingers]
Rafael: You have to learn computers! At I.T.F., you will learn computer things, like: [listed items appear on screen as titles] Computer Wires, Computer Screensavers, Where to Put the Computer, Web, Computer Desks, Computer Downloading, Font, Computer Speakers, Carrying the Computer, Computer Classes, Computer Boxes.
Corporations are not monolithic.
There is no hive mind that can one day change every opinion towards some sort of 'rightthink'.
Microsoft has said the right things about security for years.
I'm sure that such events would be less boring if the spearkes were nice and wise girls, using some sexy lingerie. And a good name for that would be Black Underwear !
Another problem with metrics is that you can't "test in" security, and measuring security by the number of failures is really trying to do just that.
You need to look at what the actual failures are, whether the kinds of failures are changing or not, whether there's a common cause to some class of failures and how hard it would be to address that common cause, and whether different systems tend to suffer from different kinds of failures.
Buffer overflows, for example. Everyone gets hit by buffer overflows, there's a common cause, but some of the techniques you can use to address them are easier than others. Non-executable stacks, great. Easy to do, if the hardware supports it, and doesn't have much of an impact on the developers. Changing to a language where buffer overflows can't happen? That's hard.
Code injection by playing quoting games, using '%2E%2E' or some complex Unicode string instead of '..', or telling me your name is '%34;cat%20/etc/passwd;echo%20%34'. Different symptoms, sometimes you can systematically fix them, sometimes you can't. A lot of what people think they know about these kinds of attacks is wrong, and they fix them badly and someone with a name like "d'Artagnon" finds he's a hacker.
Sandboxes. Lots of bad information about these going around. Microsoft used to say sandboxes were a bad idea, too much overhead. I don't know if they still do, but they need to come up with a fully sandboxed inherently safe version of Internet Explorer... the sooner the better. Oh, and Firefox has been playing with fire here too... and Apple needs to quit trying to sandbox dashboard at all and just treat it as another application platform... before they end up with people depending on a sandbox that isn't really there.
But the bottom line is, all the metrics in the world won't tell you whether these problems are things that vendors should be held directly accountable for, or whether they're the user's responsibility for configuring their systems correctly, or whether it's a third party plugin/cgi/component vendor that's the real problem.
Enumerate all the possible colors of Hats and file trademarks on them (Purple Hat, Aqua Hat, Green Hat, Pink Hat, etc.)
Then, write a Perl script that does daily google queries for each color of hat. Whenever someone else starts using Aqua Hat, or Gold Hat or whatever, Write them a Cease and Desist Letter. Also have your script attempt to locate new names of colors. Then automatically generate Trademark applications for those names of Hats as well.
File a Patent application for your Perl Script. Say it is an automated method of generating new classifications of hackers based on a dynamic color model.
Make sure your Perl script uses some trivial form of encryption. Make spurios claims that people who mention things like Aqua Hat are also clearly violating the DMCA by reverse engineering your Perl script to try to steal your valuable intellectual property. Not only that, but they are also viloating your patent.
Then, companies breaking into the security industry will come and buy your trademarked names from you.
Randy.Flood@RHCE2B.COM
I know, how about Red Hat hackers! oh wait...
Flexible bare-metal recovery for Linux/UNIX
feel an oblig#ation
Seriously, am I the only person who's sick of some public speaking rep from the biggest richest most powerful self professed technically exotic company on the planet snarkily explain to be why something is 'hard' or we're 'getting better' at something.
Dan, MS security is for shit by any fucking metric you want to hurl at it. And no amount of hemming and hawing about hats and China and whatnot is ever going to alter the profound and terrifying reality of that a company larger than the GDP of fucking Belgium can't or won't figure this shit out.
No one cares about your excuses anymore - you've won the battle you own EVERYTHING. So shut up and crunch the damn code that will keep ME personally from getting raped by your sloppiness, inattention, lack of concern or cynicism because I swear to god this is why revolutions happen.
Anyone wonder why this whitedust website is getting so much free publicity lately ? is it some how related to slashdot , or the slashdot editors ? i find 3 stories in a weeks time, kind of odd. they will approve a story about how to track down a fscking mac address, but they wont publish a story about how thousands of SS#'s just got comprised from a USC database.
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
Dan's site has a ton of interesting and original stuff on it. This dude knows his bits and bytes.