[FAILED SPAM TEST] - Re: [FoRK] [IP] more on Rejected
Harvard applicants say school's reaction to Web page "hack" excessive
(fwd from firstname.lastname@example.org)
kelley at inkworkswell.com
Fri Mar 11 12:00:41 PST 2005
At 02:20 PM 3/11/2005, Karl Anderson wrote:
> > I'd say that it started way before Harvard called these people hackers.
> > During the dot.bomb boom, when every journalist wanted to break a story
> > about the 'evil hackers'. Mitnick's hacking was mostly social engineering
> > passwords out of people and he became THE epitomy of "smart evil people
> > developing and running programs..." Yet, he didn't really do much of that
> > at all.
>Hacker, cracker, and phreaker texts have always emphasized social
I know, I spend my days teaching people about social engineering. And, in
fact, used to do the "social engineering" part in penetration tests for a
What I was on about, was that the media (and others) associate hacking
pretty much solely with evil genius who writes code. Meanwhile, Lamo hacks
into the insurance provider for Cingular by going dumpster diving where
upon he finds the URL to get into the site and download ID information.
Everyone's on about technological solutions when the problem can't be
addressed by technological solutions alone. They help, but it's not enough.
The media encouraged this way of thinking throughout the late '90s,
particularly as the media increasingly used Press Releases to construct the
news -- though that, too, is ancient. A friend who did business journalism
in the early 80s said it was rampant then.
Anyway, it turned out that it wasn't really "evil geniuses" writing code in
some dark basement in their parents house, but more likely "insiders" that
were "hacking" systems. And that was the media buzz for a few years. Who
promoted that twist? Why another branch of the security industry: the
companies who do credit card and background checks to weed out potential
fraudsters. If you have a lot of debt or live too high on the hog, you're
pegged as someone likely to engage in "hacking" from the inside to finance
This encouraged even more fear of the IT department where you supposedly
had a lot of "evil geniuses" posing as mild-mannered (heh) programmers.
But then, someone looked at the numbers from the CSI/FBI research a little
more carefully. The problem? A lot of the "insider" crime resulted from the
PEBKAC phenom. In other words, they were counting things like user mistakes
and executing malware as "insider" crime. So, in part, organizations can
address the problem with better training. It should be part of any layered
security architecture. Alas, many news stories don't want to address that
because it's not sexy-cool. 
Anyway, now I'm ranting again. :) </rant>
 The astute FoRKer will, of course, recognize my own interest in
"improved" reporting. Oh, the irony. ... :o
Ink Works: Security awareness and privacy training
Phone: +1 (727) 942-9255
E-mail: mailto:kelley at inkworkswell.com
More information about the FoRK