home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
cud3
/
cud324d.txt
< prev
next >
Wrap
Text File
|
1992-09-20
|
6KB
|
119 lines
------------------------------
Date: Tue, 25 Jun 91 14:12:25 EST
From: Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: Comments on ComSec Data Security
********************************************************************
*** CuD #3.24: File 4 of 8: Comments on ComSec ***
********************************************************************
I have a quick comment on the report of the start-up of Comsec Data
Security. I have been quoted as asking people if they would hire a
confessed/convicted arsonist to install their fire alarm system when
talking about hiring "reformed" system crackers to do computer
security. Personally and professionally, I think it is a dangerous
decision from a business perspective and from a professional
perspective.
>From a business perspective, you need to ask yourself the following
questions:
* If these guys know how to break through certain kinds of
security, does that prove they know how to make the security
better?
Using an analogy to start with, does someone who has experience
putting sugar in the gas tank know how to tune the engine? Or, more
closely, does someone who has shown expertise at stealing cars with
the keys left in the ignition know how to tell you something more
valuable than not to leave the keys in the ignition? They can guess
at telling you to leave the doors locked and windows rolled up. But
can they tell you about car alarms, various forms of
insurance, removable stereos, LoJac (sic?) tracers, cost/benefit of
using various other models of car, etc?
Likewise, with computer security, because some people have had good
luck breaking weak passwords and circumventing poorly-placed controls,
that does not make them experts in security. What do these guys know
about formal risk assessment models, information theoretical background
of ComSec evaluation, formal legal requirements for security, business
resumption planning, employee training, biometric systems, .....?
* How do you know they are reformed?
Just because they claim they have reformed and hang a shingle out,
does that mean they have *really* reformed? If your business presents
a very tempting target, how do you know they aren't casing the system
to make a single big haul and then skip town? How do you know they
aren't going to traffic info on your system with their friends? One
big haul and a quick trip to another country with no extradition, and
that's it.
The literature is full of instances where people with clean records
couldn't resist the temptation to take advantage of their access to
the system to make a quick buck. How much more can you trust people
who have already shown they aren't particularly interested in niceties
of the law and ethics?
Ask the folks at SRI if hiring "reformed" crackers/phreakers is
ultimately a sound business decision....
* Can you be sure if these guys find some of their former
associates playing with your system, they will act in your best
interests?
This is a standard problem in a new realm -- will these guys really
turn in their former buddies if they find that they have penetrated a
client's system?
* If they miss a problem, or cause a problem, will your business
insurance pay off? Will you be immune from prosecution or
stock-holder's lawsuits?
These guys and others like them have a checkered history. Hiring them
to protect your systems against loss could be grounds for negligence
suits in the case of loss, or be sufficient to cause non-payment of
insurance policies. In the case of various state & federal laws, you
might be responsible for not showing a concerted effort to really
protect your data.
Are these guys bondable? If so, for how much? Can they receive
security clearances?
The decision is also a bad one professionally. What kind of statement
does hiring these guys send to the rest of the world? It says "Gee,
build up some experience hacking into other people's (or our ) systems
without permission, and we'll give you a job!"
That's a bad statement to make.
Furthermore, it says to the true professionals in the field, the
people who study the material, act professionally and ethically their
whole careers, and who make every attempt to be responsible: "We will
hire people who behave improperly instead; your training is equivalent
(or less than) experience gained from acting unethically."
That is a worse statement to make. Most of the professionals in the
field could easily break in to business systems because of lax
security, but would never dream of doing so. To prefer confessed
crackers over honorable professionals is quite an insult.
As a professional, I would refuse to do business with firms who hire
these guys as security consultants. They show surprisingly poor
business sense, and an (indirect) contempt for the people who work
hard and *ethically* their whole careers.
Note that I'm not stating that these three, in particular, are less
than honorable now or will commit any crimes in the future. I'm
stating that, in the general case, such "reformed" individuals are a
very poor choice for security consulting. Neither am I making the
statement (incorrectly attributed to me in CACM a year ago) that
people like these three should never be employed in computing-related
jobs. I am disturbed, however, that they would be hired *because*
of their unethical and illegal behavior-past.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************