[FAILED SPAM TEST] - Re: [FoRK] [IP] more on Rejected Harvard applicants say school's reaction to Web page "hack" excessive (fwd from dave@farber.net)

Kelley kelley at inkworkswell.com
Fri Mar 11 12:00:41 PST 2005

At 02:20 PM 3/11/2005, Karl Anderson wrote:

> > I'd say that it started way before Harvard called these people hackers.
> > During the dot.bomb boom, when every journalist wanted to break a story
> > about the 'evil hackers'. Mitnick's hacking was mostly social engineering
> > passwords out of people and he became THE epitomy of "smart evil people
> > developing and running programs..." Yet, he didn't really do much of that
> > at all.
>Hacker, cracker, and phreaker texts have always emphasized social

I know, I spend my days teaching people about social engineering. And, in 
fact, used to do the "social engineering" part in penetration tests for a 
former employer.

What I was on about, was that the media (and others) associate hacking 
pretty much solely with evil genius who writes code. Meanwhile, Lamo hacks 
into the insurance provider for Cingular by going dumpster diving where 
upon he finds the URL to get into the site and download ID information.

Everyone's on about technological solutions when the problem can't be 
addressed by technological solutions alone. They help, but it's not enough. 
The media encouraged this way of thinking throughout the late '90s, 
particularly as the media increasingly used Press Releases to construct the 
news -- though that, too, is ancient. A friend who did business journalism 
in the early 80s said it was rampant then.

Anyway, it turned out that it wasn't really "evil geniuses" writing code in 
some dark basement in their parents house, but more likely "insiders" that 
were "hacking" systems. And that was the media buzz for a few years. Who 
promoted that twist? Why another branch of the security industry: the 
companies who do credit card and background checks to weed out potential 
fraudsters. If you have a lot of debt or live too high on the hog, you're 
pegged as someone likely to engage in "hacking" from the inside to finance 
your debt/lifestyle.

This encouraged even more fear of the IT department where you supposedly 
had a lot of "evil geniuses" posing as mild-mannered (heh) programmers.

But then, someone looked at the numbers from the CSI/FBI research a little 
more carefully. The problem? A lot of the "insider" crime resulted from the 
PEBKAC phenom. In other words, they were counting things like user mistakes 
and executing malware as "insider" crime. So, in part, organizations can 
address the problem with better training. It should be part of any layered 
security architecture. Alas, many news stories don't want to address that 
because it's not sexy-cool. [1]

Anyway, now I'm ranting again. :) </rant>


[1] The astute FoRKer will, of course, recognize my own interest in 
"improved" reporting. Oh, the irony. ... :o

Ink Works: Security awareness and privacy training
Phone:  +1 (727) 942-9255
E-mail: mailto:kelley at inkworkswell.com

More information about the FoRK mailing list