From: sockz loves you To: full-disclosure@lists.netsys.com Subject: Security Industry Under Scrutiny: Part One Date: Thu, 07 Nov 2002 05:12:33 -0500 hi full-disclosure, I was going to write to you today about one of the projects I've been working on, but it's not complete yet, so I'll save it for another day. It seems that a lot of people are talking about this "UK hacker" a 36yo guy by the name of so1o. I won't, cuz its boring already. The other piece of interesting news that I AM going to discuss though, is the prospect of new or changed legislation affecting internet security and cybercrime in general. A couple days ago wired ran an article [ http://wired.com/news/politics/0,1283,56351,00.html ] about changes to legislation in the US, regarding hacking and terrorism... the Cyber Security Research and Development Act. What does this act do? Well it aims to increase funding for the security industry in the US, as a means of combating cyberterrorism and cybercrime. To quote Michael Grebb in his article: -------------------------------------------------------------------------------- "the bill's backers said cybersecurity funding is now inadequate, especially if terrorists were to time cyberattacks with physical attacks similar to those carried out on Sept. 11, 2001. The result could cripple vital response services, most of which rely on computer networks." -------------------------------------------------------------------------------- This bill aims to increase protection measures against cyberterrorists by increasing funding for the security industry. Politicians say it will do this through increasing funding to colleges and schools around the nation in the hope that they can reduce the 'moron' side of the moron to expert ratio of computer security graduates. How amusing that more than a year after the catastrophic events of the WTC and Pentagon attacks do we NOW find bills being put into place to combat terrorism. Now it would seem that you don't have to work for a terrorist organisation to be targeted by this bill. It seems that today if you hack any major corporation or any kind of government computer (regardless of its use and the information it holds) you transcend from being "hacker" to "terrorist". How is it terrorism when the only fear it inspires is from the story that the government gives the press? Why would the government want to create fear? Because catastrophes are good for the economy. -------------------------------------------------------------------------------- "'We will have a synergistic outcome with catastrophic results,' said Rep. Brian Baird (D-Wash.), who co-sponsored the bill." -------------------------------------------------------------------------------- I couldn't have said it better myself. Once you get through all the corporate buzzword jargon here we get a sentence that reads "The end result will be a co- operative effort towards catastrophe." If you create more whitehats then you create more advisories. If you create more advisories then you create more 0-days available to script kiddies. When this happens the security industry makes more money, but more people are at risk. It's like when an oil tanker bursts a leak and spills oil all over the ocean. It's sad for the animals, sure, but all the humans profit. The media gets money from covering the spill, scientists get money for taking care of the animals and then they get more funding to come up with some new technology "for next time", if there is a fire then the ppl who put out that fire get paid money, if there's a terrorist involved then the CIA gets money to track them down, the list goes on. With everyone getting paid lots of money they can afford to buy more stuff. And people buying more stuff means a greater purchasing power for the State, which ultimately improves the economy's power in international trade. The last thing this world needs is more dolts working for the security industry because its these idiots who create the oil spill in the first place. What we DO need is to redesign the current system to remove vulnerability information from the eye of the general public... to avoid a "next time" as much as possible. Sure it makes money, but releasing more oil (advisories) into the ocean (community) does not make for a healthy environment (security). The other article I looked at was one on news.com, entitled "House considers jailing hackers for life". [ http://news.com.com/2100-1001-965750.html?tag=fd_top ] What is this one all about then? Well it seems to be the government's feeble attempt at threatening hackers who could be labelled as terrorists. Declan McCullagh writes: -------------------------------------------------------------------------------- "CSEA expands the ability of police to conduct Internet or telephone eavesdropping without first obtaining a court order, and offers Internet providers more latitude to disclose information to police." -------------------------------------------------------------------------------- Australia has seen a similar thing happen with ASIO's authority in the past year or so. In April, The Australian ran an article by Kate Mackenzie about deals between law enforcement agencies and ISPs. -------------------------------------------------------------------------------- According to sources within the ISP industry, who did not wish to be named, various law-enforcement agencies were working directly with large ISPs to formalise the storage and delivery of data, particularly real-time communications of suspected individuals. -------------------------------------------------------------------------------- It is the government's hope that they can combat cybercrime by increasing surveillance measures and the penalties for hacking. THIS WILL NOT WORK. The majority of cybercrime comes in the form of script kiddies, and employs those exploits that have been known about for ages. The whole reason why script kiddies are attracted to cybercrime is because of the "bad boy" label that they are branded with by their peers. So increasing the penalty for 'hacking' will only serve to increase the fame of script kiddies among their peers, causing more people to jump on the moron wagon in their course of seeking popularity. "I could get jailed for life" will become a trendy pickup line in high schools across the nation. If you want to combat cybercrime then you have to remove the information flows to script kiddies. Since it takes no great genius to be a script kiddy, this needs to be achieved by using non-disclosure when it comes to the public at large. IT IS AN IDIOT'S LOGIC TO WAIT UNTIL THE SCRIPT KIDDY HAS DONE THE DAMAGE BEFORE WE DO ANYTHING ABOUT IT. Anyone who tells you otherwise is out for the profit. -------------------------------------------------------------------------------- So to summarise: * The government is moving to increase funding for the security industry to increase the whitehat population. * The government thinks it can combat the associated increase in script kiddies (from the increase in advisories, resulting from the increase in whitehats) by increasing penalties for hacking. * If we're going to stop script kiddies we need to eliminate them from the advisory system. * Removing script kiddies from the security industry means employing non- disclosure mechanisms. * Waiting for the damage to be done before we do anything about it is poor security sense. I leave you now with a quote from .fred: "If your hat is black, stay black and keep your mouth shut. If your hat is white put it proudly on your head, and jump out a 6th story window grabbing a hold of as many skript kiddies as you fall." <3 sockz