Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: hacker-pipming

  1. #1
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002


    Found an article on www.theregister.co.uk that I thought was worth reading.

    The Source: http://www.theregister.co.uk/content/55/26198.html

    Security industry's hacker-pipming slammed
    By Thomas C Greene in Washington
    Posted: 15/07/2002 at 15:48 GMT

    I spent three days at H2K2 hoping someone would say something worth mentioning in The Register. Finally, on Sunday, a couple of speakers did just that (on which more tomorrow). Best of all was Gweeds' savage synopsis of a thing which world + dog has no doubt long entertained as a vague suspicion, namely the way hackers pimp themselves in hopes of getting hired at great expense by security companies, and the way conferences provide fertile soil for the illusory threat exaggeration on which the security industry feeds.

    The corporate model whereby hackers gravitate towards corporate greed and away from the liberation of data and private resources developed with public funds was pioneered by ISS, Gweds noted. Hackers now work to expose security flaws with the specific intention of selling out and obtaining funding to become a security company, he said.

    Security lists like BugTraq become the matter for resume stuffing. "Post to BugTraq, become a well-known gadfly on the list, and, like Sir Dystic, get a high-paying job at Microsoft. It's an interesting progression: post a fix to a bug, work on the resume, release some software and then get offered a good job," Gweeds noted with sarcasm.

    He also mapped out the cyclical food chain whereby hacker sell-outs propagate cyber-crime FUD to feed the propaganda needs of government agencies, which helps to lard agency budgets with public funds, and which in turn helps to enrich the security industry.

    "L0pht went in front of Congress and testified at the behest of NIPC and talked about how they could get into any network in the United States. The result is that NIPC got increased funds for cyber-defense and FBI got more funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security auditing contracts," Gweeds observed.

    "They're making money, sure; but they're also increasing the reach of the Federal police state at the expense of fellow hackers who are being caught and put in jail."

    Gweeds also believes that the window between when an exploit is developed by the underground and publicly released is shrinking as hackers turned security-knights hasten to pad their resumes with proppies on BugTraq. This may be good for the computing public at large, but when the purpose of hacking is to liberate information which may well be of concern to the public, then it's just another sell-out.

    One of the nastier things a blackhat can do is exploit a company, say, for quick cash, which can be done many ways. Money can be leached from a bank; proprietary information can be sold to a competitor, or sold back to the owner in a simple blackmail scam. These familiar and dark scenarios, along with numerous others, are the ones eagerly propagated by the Feds through the mainsteam press.

    Yet one of the best things a blackhat can do is obtain and disseminate information which the public needs to know, e.g., internal memos indicating unsafe products, discrepancies betwen a company's SEC filing and its own acounts, dirty dealings with local property owners, and a hundred other routine crimes of corporations protected by walls of silence and spin and totalitarian internal rules.

    The rush to publish and take credit for discovering and patching a new exploit hobbles the positive efforts of blackhats with a social conscience (though admittedly no one knows how big a category that is).

    Finally, Gweeds elaborated the scam of corporate-sponsored security conferences and their role in nourishing the hacking/security/Fed food-chain, the most famous of which is BlackHat, and its handy companion side-show, Defcon.

    "BlackHat brings together CEOs and corporate secuity people and government and military people, to tell them why they need to spend money on security services and products." They then learn about intrusion techniques from hackers who are there essentially to frighten them.

    And then, when it's over, "BlackHat attendees get a free pass to Defcon, a hacker culture freak show, so they can see the people they're supposed to be afraid of up close and personal," Gweeds said.

    It was a refreshing piece of cynicism well expressed, and for me the highlight of the entire conference. I do hope USA Today caught it.
    Its not software piracy. Iím just making multiple off site backups.

  2. #2
    Join Date
    Mar 2002
    Dont even get me started on lopht/@stake...

    A customer of mine was given a three page executive summary of how badly their network was f%$#. No other useful data, but @stake charged 10k for the summary, and wanted another 80k to actually fix the problems (this was a relatively small network of 200 nodes). My customer was dumbfounded at the 10k price (he thought 10k covered the actual threat assessment, not just the 3 page fluff), but he felt that he had to pay, or else @stake would come after them (since they already knew of their vulnerabilities).

    This is customer feedback mind you, not just industry babble...
    freedom is a road seldom traveled by the multitude

    freedom aint free

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    hmm abuse of power... just what separates the white hats from the black...

  4. #4
    i love this crap about white hats/grey hat/black hats/**** hats and whatever. if you rob a bank to give all the money to an orphanage, you're still a thief..period, end of argument. this bullshit altruism is just that, bs. these people are all a bunch of perps and deserve what they get (generally a slap on the wrist by our pathetic courts).
    I\'d rather have a bottle in front of me than a frontal lobotomy.....

    Cyanide cocktail anyone? (with a pineapple twist, of course..)

  5. #5
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    hmm so i guess u'd call the soldiers that served in the war "Murderers".. coz they killed people..

  6. #6
    id have to agree with s0nic on this one. You cant justify hacking into something without permission, period. now its alittle bit different if you call the person on the phone or whatever and they say its cool for you to look around, otherwise there is no such thing as black/grey/white hat in my opinion.

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Just because it's the internet doesnt' change the fact that we're still humans. And humans are natorious for scewing each other over to try to make a fast buck. Whether they do it for the "good of all" and whether they do it as a form of blackmail is irrelevent the end is still the same. Don't let anybody try to push you around, if some ******* at @stake trys to charge you $10000 tell them to leave. take the server offline for a bit do some research or disable all non essential programs, telnet, ftp, pop, smtp. Don't let your admin try to bully you either, your his boss if he starts getting unrully can him, take the servers offline till a new admin is hired.
    Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.

  8. #8
    I agree that vulnerability assessment is a great tool for determining where your weaknesses lie (as I'm sure that most people will agree also), but a company (ie @stake) essentially holding a network hostage for money or else it will be wide open for hackers, is outrageous. In our company we spent a few bucks on ISS and hired an experienced person to take care of VA for us instead of relying on some money hungry VA business - and it has saved us a lot of money in the long run. I agree with zepherin that no one should be bullied in order to have a secure network, and a little bit of homework goes a long way.

    -the eeshman

  9. #9
    Yup i also agree on what er0k posted there is no different between the three Black/grey/white hackers i can say even a white hackers has something to do with other scam on the net. hackers only try to see if their system works and it means it time to corect their mistakes. Maybe i can say that in the net there no such things as security

  10. #10
    Join Date
    Aug 2001
    "Post to BugTraq, become a well-known gadfly on the list, and, like Sir Dystic, get a high- paying job at Microsoft. It's an interesting progression: post a fix to a bug, work on the resume, release some software and then get offered a good job," Gweeds noted with sarcasm.
    Sir Dystic? As in CdC's Sir Dystic? Working for Microsoft?

    Microsoft Technet

    Microsoft thanks the following customers for working with us to protect customers:

    COVERT Labs at PGP Security, Inc., for reporting the unsolicited NetBIOS Name Conflict datagram issue to us.
    Sir Dystic of Cult of the Dead Cow for reporting the Name Release issue to us.
    The irony, the irony...or sarcasm...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts