Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.gcn.com/gcn/1998/August10/1c.htm
LAS VEGAS (GCN) [8.10.98] Hackers and feds faced off at the Black Hat
Briefings last month but also found they had something in common: a lack
of respect for the government'’s network security tactics.
In general, we don’t have a clue what the threat is and what ought to be
done about it, said a Defense Department employee who identified himself
only as Ken.
Everybody basically does whatever he likes, said Marcus Ranum, a former
hacker who characterized himself as a white hat.
That’s one of the reasons government security is so lame, Ranum said. I’ll
believe the government is serious about security when somebody at the
Pentagon gets fired.
The briefings brought hackers face to face with public- and private-sector
systems administrators for two days of talks. Most panelists were
identified by handles or first names only. The federal session barred
photographers.
The hacker panel, despite casual attire, nevertheless represented
corporate officials and consultants. Ranum, for instance, is president and
chief executive officer of Network Flight Recorder Inc. of Woodbine, Md.,
a network monitoring tools maker.
One hacker, identified only as Artimage, said, “Right now I’m a college
student, so I’m doing it for the grade. But next year, I’m in it for the
money. I’m a whore; I admit it.”
For the most part, the panelists presented themselves as ethical hackers
who distinguished between breaking into systems and breaking code to
identify weaknesses.
“The only people who really break into machines are malicious kids,” said
a hacker who called himself Peter.
The federal participants had even more complaints about government
security practices than they did about hackers.
“A lot of managers have no idea where to start looking” for
vulnerabilities, said a government auditor who identified herself as Ceil.
“I have become very cynical about the people who manage government systems
and the vendors who are selling them things to secure those systems. You
wouldn’t sell a Porsche to a 3-year-old who wanted a Matchbox car, but
that’s what they’re doing—selling Porsches to dumb little 3-year-olds,”
Ceil said.
Fed roadblock
She said parochial attitudes and stovepipe mentalities within agencies
make it difficult to assess problems, let alone find solutions.
One federal employee, who performs vulnerability assessments for the
Defense Information Systems Agency, defended government security efforts.
“We’ve got old management with old ways of thinking who need to be
educated,” he said, but “the government is not sitting idly by.”
Flaws are getting identified and closed, he said. “It’s a problem that is
never-ending. Congress is throwing a lot of money at it.”
Making a system Internet-accessible is asking for trouble, said a hacker
identified as Mudge.
“There should be liability for not doing due diligence on your system when
you’ve invited people in to take a look,” he said.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Fri Aug 14 08:56:30 1998