Re: [ISN] ICSA employes an undercover hacker spy.

From: mea culpa (jerichot_private)
Date: Sun Jul 05 1998 - 22:21:24 PDT

  • Next message: mea culpa: "[ISN] Companies leave databases wide open to espoinage [sic]"

    [Moderator: Going to wrap up this installment with two more posts about
     ICSA. Please take it off list after that (and CC me in :)]
    
    Reply From: Brian Macke <macket_private>
    
    > >Can anyone verify this story? It sounds all too hokey to be true. The BIND
    > >vulnerability was one of those annoying hacks that didn't see first light
    > >on BUGTRAQ, or even USENET. It was my understanding that CERT got first
    > >word from people who got hit, and was without verifiable source to begin
    > >with. They're notifications were quite humourous for their lack of
    > >concrete evidence of WHAT was happening.
    > 
    > I'll verify it, but I don't guess you'll look at me as objective, and
    > that's OK, I'm not.  Don't believe it if you don't want to.  That works for
    > me just fine 8-)
    
    You're right, I won't consider you objective - no one truly ever is. But
    if you have proof, I'll listen. I'm seriously not prejudicial towards
    ICSA, I just am extremely skepitcal of what they put out as doctrine. I
    think I'm rather justified in my skepticism when two ICSA certified
    'firewalls' have proven to me to be worse than a direct connection or
    homebrew 'firewall'.
    
    (Those are PIX and WatchGuard, BTW. I still stand by my statement that I
    wouldn't put a WG box on my network, much less use it as a monitor stand.
    I actually tried using it as a monitor stand this last week - the thing
    sags in the middle under the weight.)
    
    > >Before or after they front the $20,000 blood money for ICSA?
    
    (That was a jab at firewall certification... I think you missed it. I
    agree it was kind of subtle.)
    
    > >Love the Scooby Doo ending. Wish all Security incidents ended with a
    > >punchline.
    > 
    > We're so glad you enjoyed it.
    
    It was more of an indictment of journalists covering these kinds of
    stories (unless the crew at ICSA thought this one up... it doesn't sound
    like it, though). When you write a technical article in a non-technical
    circular, (hackers in Forbes, for example), you need a 'Scooby-Doo'
    punchline to make the reader feel good about what they just read...
    something they can relate to. While that's all well and good for Mr. Joe
    Banker in Northampton, Mass. - it's ingratiating to those in the field.
    It's very difficult to describe my job to 'normal folks', and it gets even
    moreso when people read articles like this with happy endings. Real
    security is gritty, ugly, and painful - surrounded by people that want to
    make my company a trophy, and managers that don't think it's that big of a
    deal. I'm not alone in this - most everyone I rub elbows with in the field
    agrees. 
    
    So label me bitter if you'd like, it won't be the first time. 
    
    > Regards,
    > 
    > Dave Kennedy CISSP
    > International Computer Security Assoc http://www.ncsa.com
    > Protect what you connect.
    > Look both ways before crossing the Net.
    
    -Brian James Macke					macket_private
     Unix SysAdmin/Security Specialist			Telegroup, Inc.
        "In order to get that which you wish for, you must first get that which 
         builds it."			-- Unknown
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:02 PDT