Beware the Kindness of Strangers: The Case Against Good Samaritan Hackers

Right.

If one more of you well paid security columnist/consultants brings up the locked-door-of-a-house analogy, I think I'm going to give up the fight.

I am going to say this once.

The reason it is so easy for people like Adrian Lamo . . . and like me . . . to break into your networks is that all of you people think alike. I can put myself into your head and think of all the very simple stuff you use to obfuscate your network.

Until you can think like me, you are vulnerable because your port 81 admin server is obvious, the services you need to enable on your network so that other overpaid security consultants can work from home all use port 8080, 2323 or god forbid 6969. . . and as long as you allow users to reset their passwords by using a web form to put in their date of birth, you are merely feeding the curiousity of people that want to see what you're hiding in all that bandwidth.

You focus on script kiddies and terms for children with programs that scan your network. You bemoan the power of suburban teens with 500 DDOS zombies nattering about it in irc channels or chatrooms, claiming "billions" in damage from twelve hours of being pinged from .edu and international IPs.

Keep right on doing just that and ignore all the real vulnerabilities, don't be brave enough to really try and address what's wrong with network security, corporate security, and information security in general. Continue to be afraid to "inconvenience" your users.

Yes. It's against the law. But you know what, so is spitting on the street in Oakland, CA and refusing a man a drink of water in Arizona. Are these good laws? Does our system of governance benefit from their continued existence as prosecutable offenses? Does my bringing up of these laws as a "defense" against your "analogy" validate anything? Of course not.

It's semantics. Your word games and legislation will not protect you. I'd tell you to "get out of the box" but you're deaf to your buzzwords, merely expecting people to nod politely and smile when they hear them, just like you do.

I'm glad that I'm not you.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/70/11550#11550

The first four letters of analogy. . . .whaaaat? 2002-04-04
Rick Forno (1 replies)

The first four letters of analogy. . . .whaaaat? 2002-04-17
Anonymous

The first four letters of analogy. . . . 2002-04-04
Andy Richmond (1 replies)

We're both right. 2002-04-13
Ira Wing

Beware the Kindness of Strangers: The Case Against Good Samaritan Hackers 2002-04-02
Anonymous

Beware the Kindness of Strangers: The Case Against Good Samaritan Hackers 2002-04-02
M A Nelms

Beware the Kindness of Strangers: The Case Against Good Samaritan Hackers 2002-04-02
Anonymous

Case Against 2002-04-02
Spade

The Mentality and Psychology behind the White Hat 2002-04-03
Alec (1 replies)

The Mentality and Psychology behind the White Hat 2002-04-04
lb

Beware the Kindness of Strangers: The Case Against Good Samaritan Hackers 2002-04-03
Andy Schmitt (kphrakNO@worldofschmittSPAM.ALLOWEDcom) (1 replies)

"...Good Samaritan Hackers" Bad English. 2002-04-05
Andy Richmond (1 replies)