Security Hackers Interviewed

An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."

Re:Just like Customer Service

[Nytewynd]

If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.

That would be followed immediately by "On IRC, 10,000 hackers were recruited to find holes in X Company's security measures."

Security is a concern, but it is mostly exclusive from features. For 99.9% of the features you add, there is a way to make them secure. Unless the feature is to upload and execute random code I guess.

The biggest problem with security is that you can't guard against things you don't know about. Hackers find holes, and then they get closed. It's hard to fill in a hole if you don't know it is there. In a way, for every hack that is exploited the fix makes things more secure than they were. Unfortunately there is a window of opportunity in between the finding and the fixing during which your pants are around your ankles.

Re:Just like Customer Service

[Effugas]

Lesse...

1) Metasploit isn't a graphical exploit; it's a Perl shell, very well done, that made exploit development and deployment a far more reliable endeavor.

2) They're pretty damn motivated -- not perfect, but way more than I've seen any corp. Like I said -- the "intro to security lecture" (people WILL find your holes, you WILL get attacked, etc) just didn't happen.

3) 13 open reqs for just one consultancy I know of that's got security auditing gigs at MS. Yeah.

4) I hadn't made the link between customer service and security. You're completely right about it needing to be a cultural element.

--Dan

On the Dan Kaminksy Interview

[ehaggis]

I am glad to see that Dan did not kowtow to MS despite being a speaker. MS cannot smoke and mirror us into believing the "Windows is secure mantra" by merely providing good, believable speakers. His comparing apples to apples was also a jab at the MS statistical spin machine.

Blue Hat?

[Anonymous Coward]

"(Hackers are) not just a bunch of disaffected teenagers sitting in their mom's basement. These are professionals that are thinking about these issues."
--Noel Anderson
Wireless networking
engineer, Microsoft

I can play both of those, a single-forty-year-old woman, a fresh-out-of-college jerk, a recently-made-available celebrity, a professional weatherman with agrophobia, or even an FBI/CIA/NSA agent with a hardcore case of "the powertrip", and you'll never know the difference.

So why bother defining me? To humanize my actions? To make me feel threatened and exposed?