Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
Keyboard Cowboy, Education is always a good thing. I think kids should have the opportunity to learn both sides of software security. Great suggestion. Kids, by nature, are drawn to things that are taboo and demonized. Which hacking no doubt falls into, and according to Daniel, also Angelina Jolie. We can find great analogies to the hacker kids problem in recent studies done on teenage behaviors: The Bible Belt, particularly evangelicals in the south, have the highest rates of teen sex and pregnancy in the US. Telling kids to abstain clearly doesn't work as well as teaching them how things work, and in particular careful education surrounding the use of safety devices. To the exact point you made in your blog. We see the exact same statistics surrounding firearm safety and education (in the US, again). Children (and adults) exposed to firearm safety and education rarely fall into firearm-accident statistics. Studies indicate that it is the kids we hide things from, that want to pull the trigger to see what happens when they discover the [taboo]. In locations where children have open and honest instruction, and are provided with viable outlets for their firearms (say, condoms) we find discharge accident rates to be lower per-capita. Again - the same point your blog post was making. --- The Bad Peoples: None of this does anything to solve the Bad People hacking problem. That solution requires Guns or Religion, which is far off topic for this list. As Daniel pointed out - there's also a huge problem in webappsec with *poor people*. So, I think Daniel has some ideas for dealing with them too, but I, the reader, am not sure I understand what he is suggesting. When he comes back through the door maybe we'll learn more. Definitely an exciting subject! --- Arian Evans Solipsistic Software Security Sophist On Tue, Apr 13, 2010 at 6:33 AM, Daniel Herrera daherrera...@yahoo.comwrote: DARE didn't stop youth drug use, Sex Ed didn't stop teen pregnancy rates, Why would your program stop/reduce script kiddies... j/k In all seriousness I think your perspective on the cost/benefit is really skewed on this one. Attacks against US assets are a method of revenue generation in several impoverished areas around the world. Places where the infrastructure would have very little means to even begin implementing a program like you described without serious financial aid. And once such a system was put in place the financial drive would still push people to participate in this behavior to feed their families, pay their rent, etc. In the end I would try to think about the drivers behind malicious behavior a lot more closely. Sure there are examples were hacking has been romanticized in the past within our society but not enough for some kid to watch the movie HACKERS and then decide to go after his grandmothers credit card because then he would get to date Angelina Jolie. (well other than me) I wrote this on my way out the door so my point is in there some where but probably should go through some back and forth to get cleared up let me know if you, the reader, disagrees. Regards, Daniel --- On *Mon, 4/12/10, Matt Parsons mparsons1...@gmail.com* wrote: From: Matt Parsons mparsons1...@gmail.com Subject: [WEB SECURITY] RE: How to stop hackers at the root cause To: 'Matt Parsons' mparsons1...@gmail.com, SC-L@securecoding.org Cc: owaspdal...@utdallas.edu, 'Webappsec Group' websecur...@webappsec.org, webapp...@securityfocus.com Date: Monday, April 12, 2010, 9:51 PM I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.comhttp://mc/compose?to=mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [image: 0_0_0_0_250_281_csupload_6117291] [image: untitled] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
ACM SIGCSE will be pushing more information shortly on the K-12 program suggestions. I've heard it will include security. -Rob On Tue, Apr 13, 2010 at 9:27 PM, Jeremiah Heller jerem...@inertialbit.net wrote: an interesting point. if it were not socially unacceptable to perform ethnic cleansing it would still occur at the levels indicated in those examples. if it were not for the civil rights movement and the eventually wide-spread acceptance of the idea that discrimination based on superficial properties was bad, there would still be slavery. socially, groups clashed (and some still do) over their ideologies, which were used as a basis for logic and perceived sound-judgement. however the more we learn about the universe/world around us the more we understand how little we know and that any judgement can only be temporary, until more knowledge is gained. is it more ideologically sound to feed ones family or to obey a law which would allow them to starve simply due to a lack of other economic stimuli? i'm not speaking from any hard data, but i doubt that many third-world countries have a high local market for security experts, web developers, graphic designers, etc. so what is a poor-third-worlder with an old hand-me-down PC and no job to do? do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:) On Apr 13, 2010, at 3:14 PM, Carl Vincent wrote: social acceptance is a horrible way to enforce change anyway. Japanese internment camps, the Holocaust, the cival rights wars of the American 40's, 50's, and 60's, the American red scare, the gay bashing that goes on to this day. All examples of large groups of people often doing things they don't agree with in order to behave according to socially acceptable tenets. ... Sounds like bad juju in my book -_- Paul Schmehl wrote: --On Monday, April 12, 2010 23:51:27 -0500 Matt Parsons mparsons1...@gmail.com wrote: I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. Essentially your argument is that education can solve the problem of bad hacking. While I certainly think education can help, I think there will always be an element of society that is irredeemably bad and cannot be gotten rid of (or corrected, if you will) through education. Even societal shunning, which makes bad behavior so socially unacceptable that it must hide in the shadows, does not rid us of those who refuse to behave according to acceptable tenets. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
On Apr 14, 2010, at 11:19 AM, Wall, Kevin wrote: Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. Indeed, I'm in the happy position of developing with an eye on security. Without the excellent work done by the 'good hackers' (and 'bad' alike, come to that) I have no doubt my job would be much more difficult. My comment was more playful than thoughtful but it is an interesting paradox... for any job. Luckily there's a lot left to learn! the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) Hmmm, maybe I should switch fields... until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. I agree that the risk of educating all is one worth taking. I like to think that objective education (if possible) would drive people over time to work toward ends that benefit society as a whole. At the same time it seems that this would ultimately require people to come from similar backgrounds/experiences or to at least draw similar conclusions from those, however varied. Perhaps a good thing but then could any thinking 'outside the box' really occur? first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) Ahh! That explains it! I suppose I should stop drooling over that warming cup of coffee:) What I find interesting (as a commentary about human behavior) is that the microwave was inspired by early work on radar and yet we took this idea and applied it to all sorts of technologies and currently blanket the earth with a wide-spectrum of waves of which we barely understand the broader implications of; furthermore very little research (to my knowledge) has been done to explore any side-effects. Is it simply too profitable/beneficial an enterprise to consider the risks? It took over 100 years to consider that burning fossil-fuels might have some negative impacts, both to our immediate health and environment. My dad related an interesting story to me recently about my grandfather who, while working at Boeing on a radar project, met a couple of radar techs who would keep their coffee warm by balancing it on the radar console between them. They also experienced what eventually became severe knee pain but each only in one knee and as they always sat in the same spot, it was in the knee next to the console. I'm not sure what the final diagnosis was but initially it was believed they were simply cooking their joints! Something to consider as we sit typing/reading and bathe in our lovely wifi cell networks (not to mention digital tv, which always seems to go on the fritz when I've got my head... er, coffee in the microwave:) From http://www.gallawa.com/microtech/history.html == Like many of today's great inventions, the microwave oven was a by-product of another technology. It was during a radar-related research project around 1946 that Dr. Percy Spencer, a self-taught engineer with the Raytheon Corporation, noticed something very unusual. ... == Sorry to get off-topic like this, but at the same time general considerations about humanities' approach to risk management may have implications useful in the security field, who knows. Thanks for the fun discussion! - jeremiah ___ Secure