* Posts by jf 1

1 publicly visible post • joined 30 Jun 2009

Cyber security minister ridiculed over s'kiddie hire plan

jf 1

most intelligent comments by a govt official relating to computers yet..

You know, first and foremost, I hate that people toss the word script kiddie around so much, especially by so called security experts who are not intelligent enough to realize that *they* generally are the script kids. I mean first of all, trend micro puts out a horrible product, but consider this Mr. Ferguson, can you find your own bugs? write your own exploit? have the intelligence enough to figure out what happened when it didn't work? pop the box? put a non-trivial rootkit on it once you get it? My bet is that no, unless it comes packaged with metasploit, nessus, qualys, et cetera, you can't-- this makes you the script kid.

Furthermore, the idea that only unskilled hackers get caught is silly. It's the same rhetoric that the whitehat world has been using to dance around the fact that the majority of them have never broken into a computer. 'I just didnt get caught', no you didn't do it in the first place.

McKinnion is a bad example, because he really is a script kid, he just ran pc anywhere or similar and randomly connected to boxes with no password/default passwords. But consider people like Max Butler/Vision, or Stephen Watts. Both of these men are currently awaiting sentencing. This is going to be Max's second trip to prison actually. Both are absurdly talented and broke into a hell of a lot of computers prior to getting caught. Eventually, if your acts are high-profile enough you get caught, period.

Finally, the original quotes from the MP included statements about offensive capabilities. Trend Micro et al have no place in that area, you can't even defend properly, much less reach out and smack your adversaries back. The MPs statements, I thought, as a fairly accomplished security researcher in this industry, were spot on and represented the first time ever I've heard a government official from any country say something intelligent in this regards. Obama just put up several billion dollars for cyber-defense, what he's going to get is several billion more dollars worth of the same failed infrastructure that we've had for quite some time.

This is sort of an arms race, and much like the nuclear arms race what matters is the end result. The standard government hiring practices fail to adequately staff such departments as from experience in the US Govt, I found that typically the people you wanted probably wouldn't get a clearance (myself included), so you have to ask yourself whether the ends justify the means, if you want a superior capability or not and if its worth it to hire a bunch of people who wouldn't pass the usual standards in order to have it.