Thursday, August 03, 2006

Intruders Selling Security Software

If you read my coverage of the UBS trial, you'll remember the controversy involving Karl Kasper's "hacker" background. I said in that post:

All the wanna-be hacker kiddies should remember that grown-ups don't trust the opinions of "hackers" in courts of law.

If you wouldn't trust what a "hacker" says in court, would you trust software sold by an intruder?

Yesterday I read this article: Ex-hacker helps companies get defensive. It contains this news:

A reformed computer hacker is winning big clients for open-source software and hardware products that protect a company's network from intruders...

The 27-year-old [name deleted] got his start at the U.S. Department of Defense in an auspicious way: He agreed to work in information warfare after he was arrested at age 17 for hacking into a government network. In return, he served no jail time.


I'm appalled by this story. First, it demonstrates the press' obsession with using the term "hacker" to describe an intruder Second, the intruder is posting word of this story on the front page of his company's Web site. Third, this intruder worked for a variety of companies in sensitive positions -- including, supposedly, our own government. I wonder which of those post-arrest companies knew about this intruder's arrest? I wonder if this is the first time his customers will learn of his past?

16 comments:

Anonymous said...

Richard:

"I wonder if this is the first time his customers will learn of his past?". I believe that this is just wishful thinking. It is quite apparent, with corporate behavior from organizations like Enron, United Airlines (defaulting on retirement benefits) and other similar companies, that corporate ethics are 'in the toilet' these days. I don't think many companies would really even care as long as it doesn't interfere with their bottom line (it's all about 'shareholder value' to keep the stock/profits up). Let's be honest, when you purchase an item such as a laptop computer, are you really looking at the corporate backround of say IBM, Dell, or Shuttle to determine their ethics, or is your major determining factor features and price :-)? Most people don't care, it's just another piece of equipment that's needed to conduct day-to-day business. The US Government even purchases products such as Microsoft, Cisco, and IBM who all conduct large amounts of development outside of the United States. Do you really think they do source code review on these products (in addition to background investigations of each programmer who's contributed to the product from CEO on down)? Doubtfully...just another 'supported product' that they will have someone to search after if something isn't right. Remember...it comes with a 'warranty'.

Victor Julien said...

I found this article (rant if you will) about the subject very sharp: http://www.line56.com/articles/default.asp?ArticleID=7766

LonerVamp said...

A few things...

Anonymous made a good point by saying that it doesn't matter, but I wouldn't say as much about corporate ethics being in the toilet, so to speak, as much as it is a realization that whether someone has a sordid past or has been a perfect person since birth, they are still someone offering up certain services and skills and talents. It then becomes simple risk for HR. Would you turn away someone who can solve a problem you have, just because they are or were a hacker?

In defense of this guy whom I don't know, I will say his mistake occurred at the age of 17. I can't think of many people who didn't make mistakes at that age (those few that didn't, I bet wish they did...), but maybe his second chance gave him the tools and moral standing to use his skills in a different way. Thinking otherwise seems to say if someone breaks the law and is caught, he is a criminal for life and we may as well do away with "x years in jail sentences" and just move them all to some remote island and save our paradise. I think, however, that enough people can reform and change if given a chance.

Honestly, for as much as I could make snap judgements about ex-hackers, I could make snap judgements about the lack of skills in straight-laced security personnel. (I won't though.)

Now, with all that said, the judicial system is a different world altogether...

LonerVamp said...

Just read the link from Victor.

I think it is telling that this guy reveals why he is jaded. He actually really does feel resentment not at the bad morals of other people, but that his morals kept him from being in what he perceives as a better position. This destroys a lot of his credibility in his arugments being logical and instead being passion-influenced. He is not being punished by a corrupt soceity for his conscience, he just didn't strive harder or in the correct ways.

He also makes spurious conclusions that people who do these things are "vicious, heartless, and inept." In fact, the opposite could be true, they are demonstrating they have a skill, if not moral standing. And his generality for criminals is apalling. Yes, there are some moralistically voided people, but there are also people who do just fine who have broken the law at some point. He is using extreme examples of people who did wrong things and made money over it, with all the other criminals whose lives will amount to even less than the author's.

The US is an interesting entity in that we are Christian (largely) and capitalist, and we cling to those desparetly. This means we love competition, we have a hard-work mentality, and we tend to be very individual. This means that individuals who succeed are valued.

In addition, we have this obsession with drama in other people's lives. We snap up the books of murderers to read up on it...the same people that are "hard-working people [struggling] along on dollars a day."

Either way, everyone has their own personal morals and their own happiness and place. Rather than blame society for one's unhappiness, I think there are other, better ways, to be happy. I will almost sound terrible for saying this, but reading opinions like this make me feel sad that this guy may just live the rest of his life in anger, and die angry at other people, rather than being happy with himself...

Anonymous said...

I found it ironic that the author of Victor's Julien reference seemingly has no qualms about violating another author's copyright. Apparently, the author's ethics do not extend to intellectual propery.

http://www.roughtype.com/archives/2006/04/an_open_letter.php

Also, lonervamp you syllogism regarding Christianity and capitalism is flawed. Just because a nation may be largely Christian and capitalistic does not necessarily mean it loves competition, individualism, etc. Western Europe and Canada are largely Christian and capitalistic but they favour greater economic regulation, invest heavily in the welfare state, and believe in a greater
balance between individual and collective rights.

Regards,
David

LonerVamp said...

Not that I want to discuss it here, but the Christian part was mushed together in my sentence. I meant that to only refer to a hard work ethic. A basic attitude in most protestant religions (and thus permeates society) is that of a hard working individual doing something useful.

Anyway, my apologies for mushing that all up. :) Even if I am still flawed, feel free to let me know via email. :)

Eric Hines said...

Richard, you posted this blog as if you don't know me, yet you've slung mud at me on mailing lists. Also, are we to believe that you "randomly found this news article" surfing the Chicago Sun Times newspaper when the truth is you probably check our web site regularly, maybe hoping to find something you can post about in your Blog? I may be an ex-hacker who admitted to making a mistake when I was 17 and luck smiled on me and the charges were dropped, but I can't believe you lead a perfect life either and have never made mistakes, especially when you were a teenager. Interesting how you didn't focus on anything else in the article such as selling my first company when I was 17 to a public company or the success my current company has had.

Is the reason you're always firing shots at me because of your involvement in Sguil? -- Which happens to be a competitive product of Applied Watch?

Come on Richard, keep your blog to other things rather than mud slinging at Applied Watch or me. Also, you rant as if I'm writing the code for the software. The product has been and continues to be developed by a team of programmers, not me. I'm a self-professed graphics designer for the company that handles Marketing and Press Relations. Heck, we've got to be doing something right if the military and government trust and use our product.

Do you do a background check on the CEO of the company you hire to do construction work around your house? To check your water meter? Can you account for the things developers on some of the Linux projects and distros out there did when they were kids? Can you account for the background of the developers at other security product companies that companies you've worked for bought? Just because they don't have a record or haven't been arrested, do you actually think it means they aren't a hacker or have been engaged in it at one time?

I like how you only cut out the title. I'm going to forget the fact that you decided to attack us using this article that I had focus on my father who recently passed away, thats pretty classy of you Richard. Have some dignity. Is this really how a revered author should be acting?

Richard Bejtlich said...

Eric,

How does it matter how I found the article? I didn't learn of it by visiting your Web site. You flatter yourself to think I pay attention to your company at all.

While you were busy getting arrested ten years ago for "hacking into a government network," I was defending the country as an Air Force officer.

I'm well aware of your Photoshop skills -- you messed up one of the attendee's shirts when you put your logo everywhere in that photo.

You're selling a digital security product. Digital security, at its core, is about trust. I won't buy or use anything I know came from someone who compromised the very networks I was once tasked with defending. Why should I when there are so many other options?

I am truly sorry to hear about your father. I can't imagine how tough that might be.

As for your companies and other past activities, you'd be better off keeping a low profile. I recommend you concentrate on your own business and think twice the next time you try to use your "Loki" persona or "ex-hacker" angle to promote yourself.

By the way, I never named you directly in my blog post. Anyone who was interested had to look deeper by reading the story linked from your own Web site. It's not like you slipped up by speaking with a reporter -- you were promoting this through your company.

Anonymous said...

Eric,

Actually, I was the one who passed the URL to Rich. I stumbled on it after I looked at the statistics from the sguil.sourceforge.net site and saw gateway.appliedwatch.com as one of the top hosts visiting, so who is checking up on who? In all honestly, it was August 1st (new month) and probably just a freak accident that you guys were listed as one of the top visitors.

I don't think anyone had any intent on slinging mud at you. Quite honestly, I was merely amazed that someone (anyone) would still use their 'hacker' past to promote themselves or a company in todays security world. I think Rich agreed and blogged about it. I thought the entry was professional. Your comments weren't. I can understand you are a little upset about the negative publicity, but you should try harder to keep your emotions in check.

Oh, and I don't really think of Sguil and Applied Watch as competing products. Last I knew, you marketed Applied Watch as a SIM and we are pretty fanatical about making sure people know Sguil is not a SIM [0].

Bammkkkk

[0] http://infosecpotpourri.blogspot.com/2006/01/sguil-is-not-sim.html

Eric Hines said...

This is my last reply on this forum so if you guys wish to discuss this with me offline, feel free to email me.

Applied Watch is not a SIM and we make it a point not to position ourselves as such. AAMOF, yes, Sguil and the AWCC are competing products (http://www.appliedwatch.com/products/faq.php#1).

So when you and or Richard write things in forums or mailing lists against me or this company, I'll respond.

Now, regarding the newspaper article. Newspapers choose what to write about based on your interview with them. The title of the article was chosen by editors at the newspaper. The issue of me being arrested when I was 17 was a few second explanation to Sandra on how I got in to security. AAMOF, some of the things I requested be removed were printed anyway. How do you guys think Newspapers work? They lure and want to attract an expanded reading base by the stories they print. How do you make a story more sexy and appealing that would make you want to buy it? Use catch-phrases like "Ex-Hacker".

What do you both think? I wrote the article myself and submitted it to the paper to be printed?

It doesn't work that way. Now, as far as why I linked to it, despite the title which you guys decided to focus on, it is a great story about me, my background, and my father. So it is great PR for the company on its success and revenues, not to mention it being on the front page of the business section of the Sun Times. Despite what you guys decided to focus on, which was what, the title?... was that its a story on perseverence and dedication and what both can bring.

I'm sorry that the only thing you guys decided to focus on and get out of the entire story was the title.

Bamm: I've never been able to tell if someone is upset, happy, or being sarcastic when writing emails or any other form of communication on the Interent. AAMOF, I don't know a single person who can. So please don't make assumptions as to whether or not I'm being too emotional or emotional at all in my writings as anything other than seeing my face and hearing my voice would be a presumptuous claim.

Richard Bejtlich said...

Eric,

I have plenty of experience with newspapers.

If you don't want them to print something, you (1) don't tell them about it, (2) ask to speak off the record, (3) not publicize the story once it's printed, or (4) specifically issue a counter-story once it's printed.

You promoted the story on the front page of your Web site.

You can use my blog post as an example of what not to publicize. I did not (1) mention your name in my blog post, (2) link to stories from your post-arrest, "ex-hacker" past, or (3) shed light on certain parts of your corporate biography.

If "there's no such thing as bad press," you should be happy I had anything to say at all about your company.

Anonymous said...

*sigh*

I don't know what made me think that Applied Watch is a SIM (you may want to try a little harder at "making a point to not position yourself as such".

Eric: When people start writing things like "...when the truth is you probably check our web site regularly, maybe hoping to find something you can post about in your Blog? ...", chances are, that's emotion, not logic speaking.

I apologize to everyone for us turning Rich's blog into a freaking slashdot forum.

Anonymous said...

yeah here's the thing about "not hiring hackers to do security work". Who ARE you going to hire?

There are no, and i repeat NO security experts (in the true sense of that word) who have not had at least some hacker ties. No college on earth offers classes which can give you the real security knowledge. It comes from the underground, and underground is the only place to get it.

The world is full of consulting houses which charge unsuspecting businesses hundresd of thousands of dollars for security solutions performed by certified "never was, never will be a hacker". When we do penetration testing on these companies they are usually shocked at the fact that we broke through laughable defense in mere hours without anyone even noticing the attack. True security takes true experts. Hacking something when you're 17 is not quite murder, and the knowledge gathered is both infinitely superior to any other, and inifinitely more useful.

The idea of not hiring someone who can do a great security job, because they defaced a website 8 years ago is silly from any number of perspectives.

Anonymous said...

Amen, amen, amen!

This sort of attitude that things are so simple as whitehat / blackhat / (cr)hacker / defender, whatever, is silly and unproductive.

If you work in InfoSec, and you're actually worth a damn, you learned what you know somewhere, and you spent some time poking around, maybe in a sandbox you built, or maybe (regrettably) somewhere you shouldn't have. That's life. God help us if no one in this business ever touches a sploit or rattles a doorknob.

Must we bring up this again? (Cloak.c)

It's never so damn simple, people, and a blog with Tao in its title should be capable of being a bit more dualistic, don'tcha think?

Eric is hawking his wares on listservs and needs to ratchet it down, agreed. But character assassination is a bit much. He who is without sin, etc, etc.

Anonymous said...

He or now she is back. Now known as Alissa Valentina Knight and working according to "her" LinkedIn profile as the CISO at Gennetech and leading product development for a cyber security vendor ISC8 formerly know. As Irvine Sensors which handles numerous classified government programs.....I wonder if these companies know who is on their teams.

Anonymous said...

Alissa says on her profile, website(s) and bio that she is the CISO at Gennetech but when contacted they denied this. Considering her web presence which links her to terrorist organizations would limit her ability to get employment in the security arena. Perhaps that was the reason for adopting a new identity after her transformation from Eric Hines to Alissa Valentina Knight. It seems that the only thing Eric did not change was social security numbers.