[ISN] Part 2: Q&A with Jeff Moss on computer hacking

From: InfoSec News <alerts_at_private>
Date: Tue, 20 Oct 2009 02:18:38 -0500 (CDT)
http://news.cnet.com/8301-27080_3-10377162-245.html

By Elinor Mills
InSecurity Complex
CNet News
October 19, 2009

Like many young hackers, Jeff Moss got his start copying computer games, 
learned how to program, and began to explore the world through a modem.

Unlike many young hackers, Moss has managed to turn his computer and 
social-networking skills into a business. He founded Defcon, the first 
major hacker conference and the largest in the world, as well as Black 
Hat, its more corporate counterpart. And now he is helping the U.S. 
government, as a member of the Homeland Security Advisory Council.

Moss talked to CNET News during National Cyber Security Awareness Month 
about his digital coming-of-age and how Google, Yahoo, Facebook, and 
other sites are putting consumer privacy at risk and jeopardizing 
social-justice movements around the world.

This is the final installment of a two-part Q&A with Moss. Part 1 ran on 
Friday.

Q: When you first started Defcon, that was what year again?

Moss: Ninety-two, '93. I think I started planning in '92 and it happened 
in '93.


So, things were different then. Can you talk about how the landscape has 
changed and what the real threats are now?

Moss: I'd say the biggest change is just that money got involved and 
once money was involved it changed everything. Actually that's not true. 
Technology grew up. So two things: money and technology. Technology grew 
up and a lot of the original motivations for hacking sort of changed, at 
least for my generation. When Internet access is essentially free and 
Unix is free and phone calls are essentially free and pennies on the 
minute, not dollars on the minute, why do you need to steal a phone call 
when it's free? Why do you need to break into a university to read man 
(manual) pages on Unix when you can download free security guides 
online?
 
You had to work so hard to learn something, and once you learned it you 
felt like it was yours. You made it yours by discovering it and figuring 
it out and sharing it with your friends. But now it's basically just 
handed to you on a Google search page so that motivation is just 
different now. Now it's not a question of figuring out how the SS7 phone 
switching network works. You can download 50 documents that tell you how 
it works. It's more about now the information is basically free what do 
you do with the information? How do you use it? Before it was about the 
quest for information; just getting your hands on the information was a 
victory.

As soon as people started making money on the Net...during the dot-com 
boom, that's when you could see the impact. Everybody needed somebody 
with Internet skills. And at that time it was hackers and early 
adopters. So all the early adopters could go out and get paid for their 
hobbies. That changed the nature of it too. It became a job as opposed 
to a hobby. When the criminals finally caught on that there was some 
real money with low risk and potential high reward...once nation states 
and organized crime groups got involved, that was the end of the age of 
innocence. It happened really quickly; 10 years or so. It used to be 
that you could probably defend against the bored college student and a 
couple of his buddies and you could do some defensive maneuvers and 
watch your log and know when somebody is poking around (your network) 
and have a pretty good handle on things. 

But the amount of noise and the amount of scanning and the amount of 
resources that people can put against you now, its kind of...(laughs) I 
used to always say that large governments, military, and an EDS or a 
Microsoft, they've got the in-house talent to defend themselves and the 
budget to do it if they have to. But the SMBs, the small and medium 
businesses, they don't have the talent or the budget or the experience, 
so those poor companies are at a disadvantage in this kind of world... 
The technology hasn't matured to where you just plug it in and it works. 
You still need a certain amount of high-end talent if you want to be 
secure. So we're not at the point where you buy a car and you've got the 
air bag. We're not there yet. Every year the bar keeps getting raised 
and it's a little bit harder to break in. But that just means that the 
better-funded organized crime groups and governments could potentially 
be the last ones left standing. And when the attacks get so 
sophisticated and so subtle your average sec guy is not going to 
necessarily have the computer skills to protect against it.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Oct 20 2009 - 00:18:38 PDT

This archive was generated by hypermail 2.2.0 : Tue Oct 20 2009 - 00:31:11 PDT