>Still, despite above stated problem, without all
>these, sometimes idiotic, "hackers". IT-Security
>would be even worse off than it is now.

I don't see how you can say that. That's like saying "Airport security would be no good if it weren't for the efforts of all the terrorists and psychos who keep trying to bring weapons on planes." Yes... That's true... But I think that's missing a very important point. :) Security would be completely unnecessary.

Now, I understand that's just a philosophical argument. We're in the real world. There are bad people and they are never going to go away. So, of course, EVERYONE now has to protect themselves or else they will be victimized.

Remember that hacking/computer crime/cracking or whatever you want to call it - costs us TWICE. First, it costs the direct victims: the folks who get hacked and lose money, their jobs, their businesses, or have their identity stolen, or whatever. Secondly, it costs EVERYONE because if you don't want to get victimized you have to invest time and money in defending yourself. You know all those billions of dollars spent on antivirus products and personal firewalls? They're dollars everyone on earth is forced to spend by those helpful hacker/cracker/cybercriminals in an attempt to keep them out.

Should I be thanking them?

>Therefore I'm very wary of all these new laws
>and regulations that forbid "hacking" (in the
>technically curious sense) for so-called
>security reasons. They seem to me to be more a
>blanket for companies to be able to create and
>sell crap products.

There are two issues here and they're not really connected, but I can see why you'd want them to be. First is the question of legislation against "hacking for curiousity" and the second is the question of vendors selling crap products. I'll try to address them in sequence...

Curiousity... It's the sign of an developed intellect to wonder "what if...?" and I think that almost no matter WHAT kind of goofy legislation gets passed, there will still be loads of room for curiousity. The question -ALWAYS- arises as to when curiousity becomes trespass. If I'm curious about your house, can I just walk in and look around? If you're curious about mine, can you come search my underwear drawer? (Make sure you say "Hi" to Miles and Jake, the 2 140-lb German Shepherd-wolf dogs that live with us, first..)

The "hacker" community has propagated a very strong ideology of "my curiousity GIVES ME THE RIGHT to go where you didn't invite me." Let's face it, that's just arrant nonsense. Back when I was CEO of NFR we had this discussion (securityfocus.com had just started, if I recall) and I offered to let any hacker who was curious about our code come to our facility, sign an NDA, and look at our source code all they wanted. Ooooho, but those terms weren't acceptable, were they? Why not? Because power/freedom comes with responsibility and some people want the power and freedom to go wherever they want, without the responsibility of having to respect the property-holder/network administrator/software vendor's rights. And though you may not believe it, a vendor has a RIGHT to keep their product private if they want; just like you have a RIGHT to keep your personal information private. And you have the RIGHT to not do business with vendors that don't make you happy.

Now.. let me get to your second point:
>And since you can't test the stuff the
>consumer is stuck with it.

This is the tricky part.

I fully agree that customers should be able to test (destructively if necessary) products. In fact, as you can see in the interview - I think it's a customer's DUTY to understand and test products. Because of the annoyance factor in the way hackers are currently doing things, the vendors have been trying to stack the deck in what I believe is the wrong direction.

I think this is a great area in which creativity can be shown to great effect. Do like Consumer Reports does. Invite vendors to participate in tests, and write in your report that "Vendor X was unwilling to explain how thier firewall works so we disqualified them." Be a scientist: come up with tests that allow you to learn what you need to learn in a positive and interesting manner. I am reminded of Lance Spitzner's discovery that Checkpoint Firewall-1 didn't really do TCP sequence tracking, because he was watching traces go through it that wouldn't have if it did. What a fascinating discovery! And it's one that any user of the product could legitimately discover and publish without the vendor's involvement.

Back in 1999 I challenged the hacker community to put their money where their mouth(s) was and if they really wanted to make the Internet more secure they should try to arrange to go up to Microsoft for a few months, sign their NDA, and do a no-holds-barred code-review of IIS.

But that wouldn't be fun, would it? The hackers want the power of ultimate self-determination, and none of the responsibility. Unfortunately, things don't work that way for very long.

mjr.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32047#32047