It is interesting to see on this mailing list that gray hat hackers are defended as
the only people who have a clue, and without them the security industry would be in
the dark ages.
One person from the United States Navy accused me of being unethical for mentioning
Mudge�s real name as Peiter Zatko. When did the Navy become so interested in hiding
the identity of hackers? Anyone could�ve found his name by reading recent news
articles on Yahoo:
�Mudge, an executive at Internet security company ATStake who was named by the White
House as Peiter Zatko. Mudge is a self-described ''gray hat'' hacker...�
http://dailynews.yahoo.com/h/nm/20000215/pl/tech_hackers_8.html
Some of the responses reminded me of the old cliche sayings, �Information wants to be
free� and the old hacker�s ethic: �It�s ok to break into and backdoor someone�s
system, as long as you are not malicious.� It is probably not worth trying to reason
with someone who can not understand that the notion of breaking into someone else�s
property without authorization is unethical, illegal, and criminal.
Back Orifice 2000 � trojan or not a trojan? One response to my previous message from
Ryan Russell mentions it could be used as a trojan, but it�s not really. Let�s see.
Hackers at DefCon released it to demonstrate weaknesses in Windows OS. It has
features that try to hide or disguise its existence from administrators and users.
Most of the Buttplug plugins for BO2K were geared towards hacking. If it sounds like a
duck, smells like a duck, looks like a duck, it might be a duck. It is probably not
worth arguing whether it is a remote administrative tool or trojan, but my preference
is to call it a trojan and I don�t think I am way off. You could argue that all
buffer overflow exploits in network services are really built-in remote administrative
features, i.e., bugs that are really features. Had 2 people email me that Microsoft
SMS is actually really a trojan � that�s just stupid and idiotic, despite what
www.cultdeadcow.com says.
Create problem, sell antidote. Regarding lopht members partaking in creating Back
orifice, and then profiting from a solution that protects against it, Ryan goes on to
say that he doesn�t think that�s too horrible. Yes, it might not be the worst thing
lopht has done, but similarly if I knew my anti-virus company was behind coding many
of the viruses floating around in order to buy their product, I would switch to a new
anti-virus company.
Gray hat hackers vs. Big 6. Someone mentioned the big 6 accounting firms as a reason
of why you should hire gray hat hackers. The big 6 have always lacked skilled
security professionals. Of the big Six, Ernst & Young who had the best security
talent with eXtreme team, has recently had a major exodus of security talent to many
small security startups like www.ramsec.com. This departure continues to be a signal
to avoid these firms for security: You can audit my taxes, but don�t try to protect
my network. Just because the big 6 are failures in security, I am not convinced that
hiring gray hat hackers is a good thing.
Gray hat hacker definition. There seems to be some confusion on what is a gray hat.
It used to be known that white hats were the good guys. Black hats were the bad guys.
I assume this is still the same. I quoted from the USA Today article (in which I
included the link in my previous post) as gray hats being �on the edge between good
and evil hackers.� I did not put words in anyone�s mouth, just borrowing. There
seems to be at least two interpretations of the definition of gray hat hackers.
One definition of gray hat hackers are people who are active in the underground, who
go by their hacker handles, who are in a hacker groups, who perform illegal or
questionable hacking currently or has in the past, and who are now trying to get paid
for hacking/security consulting.
Another definition of gray hats is someone who posts vulnerabilities. If all gray
hats did were post vulnerability information, that would be great, but many security
professionals disclose vulnerability information as well and don�t claim to be a gray
hat. So, they must be more than just posting security flaws. Somewhere between the 2
definitions may lie the gray hat definition. I am not convinced that just because a
gray hat hacker has posted an exploit to the public, they make good employees or
consultants.
Let�s say we used the 1st definition of gray hat hackers, those who are breaking into
system without permission (and beyond script kiddiez since they can actually code
exploits and backdoors), would you still hire that gray hat hacker? Would you hire
them just for penetration testing? How about to configure your firewalls? Or to
actually run and operate the company�s security?
If a gray hat can find a security flaw, does that make them effective at developing a
security policy and rolling it out across the network and hundreds of servers?
Did having a gray hat hacker involved with the Whitehouse summit provide any
information that Vinton Cerf, father of the Internet, Dr. Eugene Spafford, security
professor at Purdue, and Allan Paller from SANS did not know about distributed denial
of service attacks?
Are the security skills so limited and bad by professional security experts, companies
and governments must resort to hiring gray hat hackers?
Thanks,
-- JA
Jeff Andrews,
Senior Security Engineer
_____________________________________________________________
Email Powered by Everyone.net
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
