GCN August 10, 1998


Hackers, feds say govt. net security stinks

By William Jackson
GCN Staff

LAS VEGAS—Hackers and feds faced off at the Black Hat Briefings last month but also found they had something in common: a lack of respect for the government’s network security tactics.

“In general, we don’t have a clue what the threat is and what ought to be done about it,” said a Defense Department employee who identified himself only as Ken.

“Everybody basically does whatever he likes,” said Marcus Ranum, a former hacker who characterized himself as a white hat.

“That’s one of the reasons government security is so lame,” Ranum said. “I’ll believe the government is serious about security when somebody at the Pentagon gets fired.”

The briefings brought hackers face to face with public- and private-sector systems administrators for two days of talks. Most panelists were identified by handles or first names only. The federal session barred photographers.

The hacker panel, despite casual attire, nevertheless represented corporate officials and consultants. Ranum, for instance, is president and chief executive officer of Network Flight Recorder Inc. of Woodbine, Md., a network monitoring tools maker.

One hacker, identified only as Artimage, said, “Right now I’m a college student, so I’m doing it for the grade. But next year, I’m in it for the money. I’m a whore; I admit it.”

For the most part, the panelists presented themselves as ethical hackers who distinguished between breaking into systems and breaking code to identify weaknesses.

“The only people who really break into machines are malicious kids,” said a hacker who called himself Peter.

The federal participants had even more complaints about government security practices than they did about hackers.

“A lot of managers have no idea where to start looking” for vulnerabilities, said a government auditor who identified herself as Ceil.

“I have become very cynical about the people who manage government systems and the vendors who are selling them things to secure those systems. You wouldn’t sell a Porsche to a 3-year-old who wanted a Matchbox car, but that’s what they’re doing—selling Porsches to dumb little 3-year-olds,” Ceil said.

Fed roadblock

She said parochial attitudes and stovepipe mentalities within agencies make it difficult to assess problems, let alone find solutions.

One federal employee, who performs vulnerability assessments for the Defense Information Systems Agency, defended government security efforts.

“We’ve got old management with old ways of thinking who need to be educated,” he said, but “the government is not sitting idly by.”

Flaws are getting identified and closed, he said. “It’s a problem that is never-ending. Congress is throwing a lot of money at it.”

Making a system Internet-accessible is asking for trouble, said a hacker identified as Mudge.

“There should be liability for not doing due diligence on your system when you’ve invited people in to take a look,” he said.    


GCN | S&L | Shopper | CSG | E-mail | Search

Copyright 1998 by Post-Newsweek Business Information, Inc.,
a division of the Washington Post company.
All rights reserved.