Security Industry Under Scrutiny #4
SECURITY AND MURDER
In 1993 James Perry was contracted by a man named Lawrence Horn to murder
Horn's wife, his quadriplegic son, and the son's nurse, in the hope that the
family's life insurance would pay out over $2 million.
James Perry wasn't a professional killer. He had never committed a triple
murder before. In fact, had it not been for a book written by Rex Feral, and
published by Paladin Enterprises in 1983, titled "Hit Man", Perry would not
have had sufficient knowledge or confidence to carry out the short homicidal
spree.
Over 13,000 copies of "Hit Man" were sold to the public before the murder, the
cover of which has a subtitle reading "A Technical Manual for Independent
Contractors". In the preface to the book, Rex Feral breeds support for
malicious intent of his text by writing:
"It is my opinion that the professional hit man fills a need in society and is,
at times, the only alternative for "personal" justice..."
"Some people would argue that in taking the life of another after premeditation,
you act as God -- judging and issuing a death sentence. But it is the employer,
the man who pays for the service, whatever his reason might be, who acts as
judge. The hit man is merely the executioner, an enforcer who carries out the
sentence."
The problem though, is that the law does not discriminate on the same moral
basis. When Perry was caught, he, Horn, and Paladin Press (a subsidiary of
Paladin Enterprises) were all brought before court on serious charges.
Paladin Enterprises argued that America's First Amendment (the right to free
speech) protected the business from legal action, because the corporation had no
idea that James Perry and Lawrence Horn would use the book to plot and execute
a triple murder. But after years of trial, Paladin lost the case and was
ordered to pay the families of the victims millions of dollars in compensation.
Horn is serving a life sentence, and Perry at last count, was on Death Row.
Paladin Press was ordered to destroy the remaining 700 copies of "Hit Man" it
had waiting to be sold. It lost intellectual property rights, making the text
open for free public circulation.
"Freedom of speech" clearly didn't cover "freedom to aid criminals".
Why am I writing about this triple murder in this release of SIUS? I think the
parallels speak for themselves.
"Searched the web for how to hack. Results 1 - 10 of about 11,100,000."
"Searched the web for how to commit murder. Results 1 - 10 of about 667,000."
This afternoon I read through Simple Nomad's "The Hack FAQ" with its frequent
winking smilies and all. It has no doubt been written not for system admins,
but rather with malicious readers in mind. Teenagers who've decided they want
to become hackers, but do not know how to become l33t. Funnily enough, there
weren't many fundamental differences between "The Hack FAQ" and "Hit Man".
He writes:
"Learn as much as possible about your target before the attack. The techniques
involved can be passive to bordering on mini-attacks themselves. And plan out
your goals. Using your knowledge gained develop a plan, no matter how small or
quick the hack is."
At the top of chapter 5, Feral writes:
"Only a fool will rush right into a job without doing his homework. You have to
know your target, whether it's a job for hire or a personal endeavour. Every
scrap of up-to-date information you can gather inconspicuously should be
assembled and studied to guarantee the success of you operation. Information
requirements will vary, depending on the type and difficulty of the job. Even
the most minute, seemingly unimportant detail can be just the very item you
need."
In Section 12.6, Nomad writes:
"Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to
download Petter's code to your Linux machine (you DO have one of those, don't
you?) and compile it using a libDES and MD4 library. Now mount the NT drive
read/write and follow the instructions in the readme. The instructions are
pretty easy to follow, especially if you know enough to get to the point to
use them ;-)"
Then there's Feral in Chapter 2:
"Get two extra fifteen or thirty shot clips from your local gun dealer or order
through one of the gun magazines. But never load these clips to full capacity,
as they tend to jam when fully loaded. When loading the clip before job
assignment, be sure to wipe each bullet to remove fingerprints, or spray with
WD-40 or some other oil."
Rex Feral, a Writer and Professional Killer:
"On the following pages, you will learn how to make, without the need of special
engineering ability or expensive machine shop tools, a silencer of the highest
quality and effectiveness."
Craig Ozancin, a Senior Security Analyst at Symantec:
"This presentation introduces you to some of the types of attacks used to
compromise Linux systems..."
These kinds of quotes are over-common in the security industry.
I am currently reading through "Hit Man". As Feral suggests at the end of his
prologue, I have avoided skipping idly through the pages, and am starting at
the very beginning. Apparently this will see me turn from an amateur killer
into a professional. Just like reading Nomad's FAQ should give me some idea of
how to commit cybercrime.
I assume my intent for reading this book is somewhat different to that of
Perry's. Or at least my intent for the knowledge in the meantime is innocent.
But after reading the book I do expect to be more informed about how to commit
murder. Just as when people read advisories on bugtraq or full-disclosure, they
expect to be more informed about hacking/posing security risk.
But what differentiates me from Perry? Perry held no personal vendetta against
those three victims. He killed for money. Using the information contained in
the archives of full-disclosure and bugtraq, and those sources alone, I could
learn how to commit criminal acts with my computer. I could treat these
criminal activities with as much detachment as Perry. The only thing that holds
me back from doing this is self-control.
Can you not see the fragile and crumbling edge I sit on, leaning over to peer
into a vast valley of crime and profit? And every single time I see an advisory
this pushes me that little bit further towards a desire to just jump off. And I
am not alone on this cliff.
How long are we going to hold back from making these security companies
responsible for providing the same potency of information as Paladin Press did?
Any major internet security site will give you links to places where you can
download hacking utilities. Utilities that will be used by people with the same
degree of malicious intent as Perry and Horn.
The media encourages hacking. Hollywood says its trendy. Anyone with a
computer has thought about it at least once, and many have sought to take the
next step, despite how little they know. And what does the security industry
do? It helps them down that cliff. People on the internet aren't just told how
to commit cybercrime, they are encouraged to be malicious enough to do so.
Please, somebody make these security fucktards responsible for the information
they pump out! It's one of the best ways to stop cybercrime. If we stop
rewarding wannabe hackers with fame & power security WILL improve. To do
otherwise is to give people like Perry and Horn cash rewards for killing more
wives and quadriplegic sons and innocent nurses.
I leave you with a quote I really liked, from Rex Feral, in Chapter 8:
"Don't brag. Don't boast. Don't hint at what you know or what you have done.
Don't confide in your girlfriend, your wife, or your best buddy. Only insecure
bores must build themselves up by other people's opinions."
peace & <3 sockz
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Meet Singles
http://corp.mail.com/lavalife
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 04:14:27 PST