On Sat, 10 Apr 1999, Peter Bruderer wrote:
>
> I completely agree with your statement.
So do I...and yes, the thread is getting long...
> The problem I see is: if you or a friend of you can talk on this level with a
> "hacker" to justify his knowledge than you probably do not need a hacker,
> because you are one yourself or your friend is one.
Also, I do agree on this one, with a little nuance... What I see as well,
is that there are people who can talk about the issues, can discuss the
points Alyea wrote down - even in a sensible way, but when given a Unix
prompt (or WNT computer) they don't know what to do....They have no
hands-on experience with operating systems and networking, it's all theory
for them. Sometimes they know how to navigate through the system to start
up ISS/Cybercop/etc and that's about it...
Also, what they often lack, is the knowledge about how to put all that
stuff in perspective for a specific client's situation - and that is what
you, as a client, wants.
> The problem I face, is that most companies have ABSOLUTELY no idea what's
> going on on their networks and computers. As soon as they have to type in a
> few letters on an interface other than WinWord, they are lost. How can such a
> company get a real hacker? My opinion is: If they get one, it is simply a
> lucky punch.
Like I said above.... maybe you know the saying: "the amount of clue on
the Internet is a constant...." (or something similar...) That not only
accounts for the Internet....
> Alyea <[EMAIL PROTECTED]> writes:
> >
> > Perhaps I do need to define "hacker" (my definition, not the media's).
> > A hacker is someone who continually strives to understand how things
> > work and how they should be improved. Commonly, this leads to
> > discovering flaws in a system (be it operating systems, software,
> > electronics, mechanics, etc). A hacker is NOT the person who downloads
> > scripts and "point and click" utilities to circumvent the security of a
> > system (though he/she may be the one who writes these tools).
> >
> > The best security people you will find are or were "hackers." When I
> > said "I don't see a problem with HIRING 'hackers,'" I was by no means
> > implying that one should search the Internet for someone calling
> > him/herself "AOL_Ub3rh4cK3r" and offer him/her a job. It is (usually)
> > pretty easy to determine who has a clue and who doesn't (if you are able
> > to speak at a technical level with the person). If you (or your
> > organization) cannot determine the technical adeptness of a prospective
> > hacker/consultant, find a friend/relative/known quantity who is able to
> > conduct an interview or outline some questions and answers for you.
> > Take notes during an interview and review them with your knowledgable
> > source.
> >
> > Key points to discuss:
> >
> > - Talk about IP and its inherent weaknesses. If the hacker/consultant
> > cannot
> > explain them, they probably don't know what they are talking about.
> > - Talk about the underlying reasons that an 8 character password on an
> > NT/98
> > mixed network may not be secure. If the hacker/consultant can't tell
> > you
> > about the LM hash and simple password cracking techniques (in detail),
> > but
> > does recommend "longer passwords with lower case and capital letters,
> > numbers and special characters," reconsider your contracting options.
> > - Talk about port/security scanners. Far too many people run a scan and
> > say
> > "here are all of your problems." These tools are intended to be
> > starting or
> > ending points in a security assessment (depending on your point of
> > view),
> > not the entire assessment.
> > - I won't list any more, you get the point.
>
>
> have fun ...
I will...:-)
Gr. Arjan
----
Eat hard
Sleep hard
Wear glasses if you need them
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
