Security Industry Under Scrutiny #4 SECURITY AND MURDER In 1993 James Perry was contracted by a man named Lawrence Horn to murder Horn's wife, his quadriplegic son, and the son's nurse, in the hope that the family's life insurance would pay out over $2 million. James Perry wasn't a professional killer. He had never committed a triple murder before. In fact, had it not been for a book written by Rex Feral, and published by Paladin Enterprises in 1983, titled "Hit Man", Perry would not have had sufficient knowledge or confidence to carry out the short homicidal spree. Over 13,000 copies of "Hit Man" were sold to the public before the murder, the cover of which has a subtitle reading "A Technical Manual for Independent Contractors". In the preface to the book, Rex Feral breeds support for malicious intent of his text by writing: "It is my opinion that the professional hit man fills a need in society and is, at times, the only alternative for "personal" justice..." "Some people would argue that in taking the life of another after premeditation, you act as God -- judging and issuing a death sentence. But it is the employer, the man who pays for the service, whatever his reason might be, who acts as judge. The hit man is merely the executioner, an enforcer who carries out the sentence." The problem though, is that the law does not discriminate on the same moral basis. When Perry was caught, he, Horn, and Paladin Press (a subsidiary of Paladin Enterprises) were all brought before court on serious charges. Paladin Enterprises argued that America's First Amendment (the right to free speech) protected the business from legal action, because the corporation had no idea that James Perry and Lawrence Horn would use the book to plot and execute a triple murder. But after years of trial, Paladin lost the case and was ordered to pay the families of the victims millions of dollars in compensation. Horn is serving a life sentence, and Perry at last count, was on Death Row. Paladin Press was ordered to destroy the remaining 700 copies of "Hit Man" it had waiting to be sold. It lost intellectual property rights, making the text open for free public circulation. "Freedom of speech" clearly didn't cover "freedom to aid criminals". Why am I writing about this triple murder in this release of SIUS? I think the parallels speak for themselves. "Searched the web for how to hack. Results 1 - 10 of about 11,100,000." "Searched the web for how to commit murder. Results 1 - 10 of about 667,000." This afternoon I read through Simple Nomad's "The Hack FAQ" with its frequent winking smilies and all. It has no doubt been written not for system admins, but rather with malicious readers in mind. Teenagers who've decided they want to become hackers, but do not know how to become l33t. Funnily enough, there weren't many fundamental differences between "The Hack FAQ" and "Hit Man". He writes: "Learn as much as possible about your target before the attack. The techniques involved can be passive to bordering on mini-attacks themselves. And plan out your goals. Using your knowledge gained develop a plan, no matter how small or quick the hack is." At the top of chapter 5, Feral writes: "Only a fool will rush right into a job without doing his homework. You have to know your target, whether it's a job for hire or a personal endeavour. Every scrap of up-to-date information you can gather inconspicuously should be assembled and studied to guarantee the success of you operation. Information requirements will vary, depending on the type and difficulty of the job. Even the most minute, seemingly unimportant detail can be just the very item you need." In Section 12.6, Nomad writes: "Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to download Petter's code to your Linux machine (you DO have one of those, don't you?) and compile it using a libDES and MD4 library. Now mount the NT drive read/write and follow the instructions in the readme. The instructions are pretty easy to follow, especially if you know enough to get to the point to use them ;-)" Then there's Feral in Chapter 2: "Get two extra fifteen or thirty shot clips from your local gun dealer or order through one of the gun magazines. But never load these clips to full capacity, as they tend to jam when fully loaded. When loading the clip before job assignment, be sure to wipe each bullet to remove fingerprints, or spray with WD-40 or some other oil." Rex Feral, a Writer and Professional Killer: "On the following pages, you will learn how to make, without the need of special engineering ability or expensive machine shop tools, a silencer of the highest quality and effectiveness." Craig Ozancin, a Senior Security Analyst at Symantec: "This presentation introduces you to some of the types of attacks used to compromise Linux systems..." These kinds of quotes are over-common in the security industry. I am currently reading through "Hit Man". As Feral suggests at the end of his prologue, I have avoided skipping idly through the pages, and am starting at the very beginning. Apparently this will see me turn from an amateur killer into a professional. Just like reading Nomad's FAQ should give me some idea of how to commit cybercrime. I assume my intent for reading this book is somewhat different to that of Perry's. Or at least my intent for the knowledge in the meantime is innocent. But after reading the book I do expect to be more informed about how to commit murder. Just as when people read advisories on bugtraq or full-disclosure, they expect to be more informed about hacking/posing security risk. But what differentiates me from Perry? Perry held no personal vendetta against those three victims. He killed for money. Using the information contained in the archives of full-disclosure and bugtraq, and those sources alone, I could learn how to commit criminal acts with my computer. I could treat these criminal activities with as much detachment as Perry. The only thing that holds me back from doing this is self-control. Can you not see the fragile and crumbling edge I sit on, leaning over to peer into a vast valley of crime and profit? And every single time I see an advisory this pushes me that little bit further towards a desire to just jump off. And I am not alone on this cliff. How long are we going to hold back from making these security companies responsible for providing the same potency of information as Paladin Press did? Any major internet security site will give you links to places where you can download hacking utilities. Utilities that will be used by people with the same degree of malicious intent as Perry and Horn. The media encourages hacking. Hollywood says its trendy. Anyone with a computer has thought about it at least once, and many have sought to take the next step, despite how little they know. And what does the security industry do? It helps them down that cliff. People on the internet aren't just told how to commit cybercrime, they are encouraged to be malicious enough to do so. Please, somebody make these security fucktards responsible for the information they pump out! It's one of the best ways to stop cybercrime. If we stop rewarding wannabe hackers with fame & power security WILL improve. To do otherwise is to give people like Perry and Horn cash rewards for killing more wives and quadriplegic sons and innocent nurses. I leave you with a quote I really liked, from Rex Feral, in Chapter 8: "Don't brag. Don't boast. Don't hint at what you know or what you have done. Don't confide in your girlfriend, your wife, or your best buddy. Only insecure bores must build themselves up by other people's opinions." peace & <3 sockz -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Meet Singles http://corp.mail.com/lavalife _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 04:14:27 PST