[ISN] Hackers, feds say govt. net security stinks | GCN August 10, 1998

From: mea culpa (jerichoat_private)
Date: Thu Aug 13 1998 - 16:56:08 PDT

  • Next message: mea culpa: "[ISN] RAID '98"

    Forwarded From: William Knowles <erehwonat_private>
    LAS VEGAS (GCN) [8.10.98] Hackers and feds faced off at the Black Hat
    Briefings last month but also found they had something in common: a lack
    of respect for the government'’s network security tactics. 
    In general, we don’t have a clue what the threat is and what ought to be
    done about it, said a Defense Department employee who identified himself
    only as Ken. 
    Everybody basically does whatever he likes, said Marcus Ranum, a former
    hacker who characterized himself as a white hat. 
    That’s one of the reasons government security is so lame, Ranum said. I’ll
    believe the government is serious about security when somebody at the
    Pentagon gets fired. 
    The briefings brought hackers face to face with public- and private-sector
    systems administrators for two days of talks. Most panelists were
    identified by handles or first names only. The federal session barred
    The hacker panel, despite casual attire, nevertheless represented
    corporate officials and consultants. Ranum, for instance, is president and
    chief executive officer of Network Flight Recorder Inc. of Woodbine, Md.,
    a network monitoring tools maker. 
    One hacker, identified only as Artimage, said, “Right now I’m a college
    student, so I’m doing it for the grade. But next year, I’m in it for the
    money. I’m a whore; I admit it.”
    For the most part, the panelists presented themselves as ethical hackers
    who distinguished between breaking into systems and breaking code to
    identify weaknesses. 
    “The only people who really break into machines are malicious kids,” said
    a hacker who called himself Peter. 
    The federal participants had even more complaints about government
    security practices than they did about hackers. 
    “A lot of managers have no idea where to start looking” for
    vulnerabilities, said a government auditor who identified herself as Ceil. 
    “I have become very cynical about the people who manage government systems
    and the vendors who are selling them things to secure those systems. You
    wouldn’t sell a Porsche to a 3-year-old who wanted a Matchbox car, but
    that’s what they’re doing—selling Porsches to dumb little 3-year-olds,”
    Ceil said. 
    Fed roadblock
    She said parochial attitudes and stovepipe mentalities within agencies
    make it difficult to assess problems, let alone find solutions. 
    One federal employee, who performs vulnerability assessments for the
    Defense Information Systems Agency, defended government security efforts. 
    “We’ve got old management with old ways of thinking who need to be
    educated,” he said, but “the government is not sitting idly by.”
    Flaws are getting identified and closed, he said. “It’s a problem that is
    never-ending. Congress is throwing a lot of money at it.”
    Making a system Internet-accessible is asking for trouble, said a hacker
    identified as Mudge. 
    “There should be liability for not doing due diligence on your system when
    you’ve invited people in to take a look,” he said. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:59 PDT