[585] in Intrusion Detection Systems
RE: Former Hacker's Intro
daemon@ATHENA.MIT.EDU (J.R.Valverde (jr))
Tue Feb 13 17:36:52 1996
Date: Mon, 12 Feb 1996 10:26:45 +0100 (WET)
From: "J.R.Valverde (jr)" <JRVALVERDE@Samba.cnb.uam.es>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
> I wholeheartedly concur with the flame sent in response to the "former"
> hacker's introduction. This sort of individual bragging about his
> criminal background and his obvious expectations of attaining wealth as
> a legitimate entrepeneur are not unlike other organized criminals
> buying legitimate businesses with their ill-gotten gains. Rewarding
> these types with consulting business and publishing royalties only
> encourages other seemingly intelligent people to do the same - this is
> not on the job training, and costs businesses billions of dollars in
> losses and required, preventive measures!
>
Well, I must say something on the contrary: first denying a way
to rehabilitation to anyone is just another way into forcing them to
continue using their, er, "unorthodox" methods. Maybe that's what these
people want: increase intruders to justify their IDS works?.
One bad guy less and one good guy more. What's so bad?
As for training: I don't know of many places, if any, that teach
about intrusions, let students play a tiger team, and better understand
how intruders work in a controlled environment with appropriate guidance.
I for one learnt most on the net. I don't think it is a good way, just
like learning about drugs in the streets isn't..
If you're worried, allow for a security education and favor those
who follow it. Don't forbid rehabilitation.
As for business loses:
While it is true, it is no less true that many enterprises,
banks specially, deny any intrusion: denial of a problem is never a
solution. And much more consider it worthless to invest in security
at all: if we have to believe OS developers, we don't have secure
systems because customers don't want them. Maybe that means they
prefer to have these loses. Maybe they are not so big. As a matter
of fact since they deny them, there's no easy way to be sure of
the actual facts.
Not to say: where are those loses? Isn't it snake oil? If
we have to believe what most of those companies officially say, they
have never had loses from hackers. Security by obscurity? Or is it a way
to disguise bad management decisions as break-in loses on behalf of
that obscurity? Probably both, actual and mitical loses happen.
Remember ATT and the witch hunt of phrackers for what actually
were badly designed equipment failures?
Charging then intruders, which still are guilty, of what is
also their negligence, and complaining about a fact of life like there
is always an intruder, denying its existence and refusing to take any
defensive measure is not a very intelligent approach. Maybe we also
need to teach intelligent people *not in the computer arena* about
intrusions and their economic relevance (if any, saw last CACM news?).
I am interested in IDS. But much more in intrusion prevention.
And the best way I have found to date is to educate brilliant students:
allow intelligent young hackers to play and discover by themselves,
_guiding them_ so they know where the "good" way is. And to tell young,
intelligent managers, economists, bizdos, what an intrusion can do to
them and guiding them through the "good" way of "good" managerial
protective decisions.
jr
