
'Hackers wanted' ad fed security misconception - robg
http://www.nytimes.com/external/idg/2009/04/28/28idg-hackers-wanted-ad-fed-security-misconception-12208.html
======
byrneseyeview
His analogy is not appropriate in this context. Security is a special case in
which getting around it is a good way to learn about it. It's not the same as
arguing that wrecking a car means you're qualified to repair it -- it might be
akin to a company hiring people who've been in accidents as a focus group for
a new system that seizes control of your car and attempts to avert a
collision.

Most of the appropriate analogies are related to crime (hire someone who picks
locks to test whether or not your lock can be picked; hire someone who breaks
into houses to test whether or not your house can be broken into). This is
because crime is a special case, but you could also imagine a search engine
hiring black-hat SEOs, a casino hiring card-counters, etc. If you want
something to be exploitation-proof, you probably want to see what happens when
experienced people try to exploit it.

It looks like people are seizing this as a PR ploy -- shame General Dynamics,
and make sure people who Google "General Dynamics Hacker Ad" get to see you
tut-tutting and defending virtue.

~~~
biohacker42
Don't banks routinely hire safe crackers to help them make the safe more
secure?

~~~
byrneseyeview
I don't know. What I _do_ know is that they'd probably get really great safe
crackers if they paid on contingency::

"We're putting a million dollars in the safe. We'll sell 24 hours alone with
this safe to the highest bidder."

Also, this could be turned into the plot of a third-rate thriller, if the
pricing model thing doesn't work out.

~~~
wlievens
Or a reality show.

------
tptacek
I've heard this old "it's easier to break things than to build them" chestnut
a thousand times, but never once from a serious practitioner.

That's because it isn't easier to break things than to build them. Most crypto
attacks require more cleverness and more sophisticated math than the original
algorithm required, a point that is all but spelled out for you in the crypto
books when they say "don't even bother trying to build your own cipher until
you've broken several others first".

Or take software. Does anyone actually believe that it was harder to write
code for the ActionScript interpreter than it was to get Dowd's exploit
(<http://bit.ly/13OjyR>) working? Lots of people have written interpreters
(even fast threaded stack interpreters). Nobody has written an exploit this
sophisticated. And this is just an exploit! It isn't even a clever
vulnerability!

This is Ira Winkler's big thing. Ira has, as far as I can tell, no discernable
technical skills. He's never published any research. He's never published any
code. He's written and contributed to several third- and fourth-tier books,
and he pundits for the trade press. From what I've seen in my career, people
that fit this mold generally fall into one of two buckets:

* People who try to make up for their lack of technical ability by worshiping researchers (like Dowd) and developers (like Fyodor).

* People who try to make their lack of technical ability seem irrelevant by tearing down other people.

Winkler has always been firmly in the latter bucket. If you want to talk about
"things that set the computer security industry back three years", let's start
with articles that conflate actual criminals (like the "Twitter hacker") with
people who have chosen breaking systems as a research topic.

~~~
yan
Your post is filled with absolutes, where in reality, it's rarely that clear.
I understand it's what gets the people to read and pay attention, but I'm
gonna have to disagree that it's always harder to break something than to
build it. Writing _complex_ software _securely_ is hard.

I'd argue writing WebKit is much harder than attacking it. Even Miller bragged
about how easy it was to break it. Especially now, fuzzing is so hot exactly
for the reason that it lets people collect vulns from software they just shook
without too much insight.

Writing exploits is getting harder and harder with modern operating systems,
I'll give you that, but classically, defense has been harder than offense. I'm
not exactly arguing your position, I'm technically in the security industry
myself, but limiting examples of breaking things to Dowd's super-human exploit
or cryptanalysis of modern algorithms is just as disingenuous, just as making
absolute statements like "That's because it isn't easier to break things than
to build them". I'm sure you had the experience of walking into a pen-test and
delivering a list of vulnerabilities in laughably misconfigured and outdated
software.

I just don't understand why one field has to be harder or more elite than
another. Both have hard, interesting work with brilliant people.

~~~
tptacek
I do tend to advocate the opposite of the "harder to build than break"
argument, and that argument is, I suppose, just as faulty. I agree with your
last paragraph. It is, in the end, just a stupid argument.

However, my side of this argument is just disingenuous, while Winkler's side
is a pernicious industry fallacy that genuinely has set us back: it's embedded
into several of the bullshit certifications that gate some high-paying jobs,
and it's a consistent excuse for practitioners to avoid keeping technically
sharp for for implementors to avoid responsibility for the code they ship.

So while recognizing that you are right about the merits of the argument, I am
unlikely to stop making it.

------
cubicle67
"Let's establish some fundamentals. If I throw a glass against a wall and it
breaks, does that mean I am qualified to make a glass or repair the broken
one? If I drive a Ferrari into a wall and wreck the car, does that make me
qualified to repair it?"

How about "If I read a newspaper, does that make me qualified to write about
IT security?" Why yes, it looks like it does.

------
habs
"Many hackers are one-trick ponies who know how to use a few specific tools
but are clueless after those fail."

I think he has confused script kiddies with hackers. Hackers don't just run
scripts and shrug their shoulders when things don't work. Hackers make the
scripts and find vulnerabilities in systems. Usually employing some very smart
techniques to obtain their goals..(shellcodes, buffer overflows, etc). A
fantastic knowledge of C / ASM is usually required...

"the U.S. government believes that you need criminals to think like
criminals"..Just for the record (Hackers != Criminals)..

------
abyssknight
The irony is that there's a nice little conference that happens every year
just for this purpose. They call it Defcon. ;) People need to get over the
monikers, labels and just realize what we really are. Hackers are exactly what
you need to take in the whole picture of security. We're multi-talented, able
to take on problems from multiple angles, and get around the norm and best of
all we're _passionate_ about it.

~~~
tptacek
Next time you say this, say "Black Hat" instead of Defcon. They're sister
conferences, but Black Hat is where most of the actual research gets
published.

~~~
abyssknight
I know they both exist, and that they're related but I thought Defcon was the
more informal conference and the ad seemed to allude to a more informal target
audience. That said, you are correct, most of the research gets published at
Black Hat.

 _And in the spirit of full disclosure, I have no first hand knowledge of
either conference. My father is an Information Security Architect and we often
talk shop. One year he went to Black Hat and mentioned the complimentary
Defcon passes, and I perked up. I love playing with Nessus and decompiling C
code to hex and editing ASM like any other self respecting geek, but I'm far
from that league._

~~~
tptacek
Nah, just trying to give you the right jargon. =)

~~~
abyssknight
Hey, I appreciate it! :) Feel free to school me anytime. Heck, I _live_ for
it.

------
philwelch
I know this is a minor point, but I found it striking.

"Some people will contend that this is all a misunderstanding, because
"hackers" are not computer criminals by definition. Criminals are "crackers,"
they will point out."

I know the point he's trying to make (the old boring semantic argument of what
"hacker" means) but that is so clumsily phrased that you get the distinct
feeling he doesn't even understand the point himself. You also begin to wonder
how that kind of crap can get published by the New York Times.

------
chacha102
Why can't they just say: "Hack into the Government's System and Tell us about
the exploit. We'll give you $200". Its much simpler then hiring a bunch of
people, and it will give them more people testing the system.

~~~
byrneseyeview
It increases the incentive to hack by raising the average return. One result:
a cracker knows that, at worst, they get $200 for breaking into a system; at
best, they get whatever they can get away with.

Though they could structure the deal differently (by making crackers identify
themselves in advance).

------
ajkirwin
The thing is, social concerns about impropriety aside.. for securing your
stuff, a good 'hacker' is exactly what you need.

Because the really good ones are the people with the ability to think in the
non-obvious ways. From what I have seen, there are legions of "computer
security experts" who seem to just have a degree in some kind of computer
field.

These people are quite adept at telling you ways to fix the person trying to
break down your door. But to find the guy secretly tunneling through your
foundations?

For that, you need a 'hacker'.

