Poor Hype and Muppet Journalism

dogs

http://www.ireland.com/newspaper/finance/2001/0427/fin46.htm
It's funny, just not in a "ha-ha" way...

Choice quotes include:

<font face="Verdana, Arial" size="2"> By using a software programme designed to track the movement of Internet users called a "TCP wrapper" Mr Hynes can identify the general location of users trying to connect with his own computer systems. </font>

and, my favourite, (referring to script kiddies):

<font face="Verdana, Arial" size="2"> "These kids often wear black, stop shaving and look really scruffy. They use pseudonyms such as rain forest puppy and write hacking tools which they make available on the Web," Mr Hynes says. </font>

Oh, and the obligatory "Even Eircom got hacked" of course...

yossarin

you're not safe here...let me lead you.

i have a conspiracy theory that most viruses are written by Semantic & Dr. Sol.

still, you have to wonder - are people in buisness really going to be that easily led ?

I get a real culture shock when i see things not aimed at my demographic.

nitr0s

These same people that Mr Hynes describes as "scruffy" keep him in his job.
I hate losers like Mr Hynes, who criticise hackers, if hackers didn't disclose what they knew.... these 455h01es would be out of a job full stop. "Security Experts"...yeah, they read bugtraq posts.
He is a a fu|<ing "leech" in my opinion.
The fu<k conjures the memory capacity to criticise hackers, the same people that build the tools he uses to defend himself.
What a \/\/an|<er.

[This message has been edited by nitr0s (edited 28-04-2001).]

wintermute

I don't really agree with that argument that "hackers" keep security professionals in work and therefore shouldn't be criticised. Even if a theoretical scenario existed whereby nobody tried to attack anybody's systems, I'd still have a job. Security consultants, like anyone else who specialises in a specific area, have a strong background in IT. These ex-security professionals would just return to being network consultants or something.

The bottom line - in my opinion, security professionals are not dependent on script kiddies and their ilk for their jobs.

nitr0s

Well, I don't consider the developers of openbsd "script kiddies"
You didn't directly mention aything to do with openbsd or the developers.
But to me, you've just labelled those kind of people "script kiddies"
You may always go back to the IT area, but their will always be people who want to break into computers, and so security goes with the job.
But if people that find problems in existing operating systems and software kept the knowledge to themselves.There would be alot of problems securing any system.

wintermute

OpenBSD, did I miss something - where did that come from?

What I mean by "script kiddies" are those individuals who maliciously attempt to attack systems so that they can run their IRC daemons, deface the a website or whatever. They don't do anything original or innovative because they don't know how to, they simply download and run exploits that other people wrote.

I once investigated a case where a box had been half compromised (un-privileged account created), then left untouched. After spending a while doing the usual forensics I discovered why - the "pico" editor wasn't installed. The intruder needed to edit her/his Makefile to reflect the local configuration but didn't know how to use vi so abandoned the system. Now that's what I mean by a script kiddie!

I do agree with you that security through obscurity is a bad thing. But, that's just the age old debate isn't it?

There is a really good joke security document called "A Guide to Internet Security: Becoming an Uebercracker and Becoming an UeberAdmin to stop Uebercrackers" - it sums up this discussion perfectly, try to download it.

LegacyUser

tom looks in the mirror

ecksor

<font face="Verdana, Arial" size="2">Originally posted by nitr0s:
These same people that Mr Hynes describes as "scruffy" keep him in his job.</font>

The association of scruffy kids with Rain Forest Puppy was unfortunate, but I don't see where you are getting the "keep him in his job" reasoning. If anything, newspaper articles such as this have a lot more to do with keeping him in his job, after all, it is businesses who are attempting to protect their assets that will be prompted to hire him or someone like him to help protect themselves.

<font face="Verdana, Arial" size="2">I hate losers like Mr Hynes, who criticise hackers, if hackers didn't disclose what they knew.... these 455h01es would be out of a job full stop. "Security Experts"...yeah, they read bugtraq posts.</font>

That is not a reasonable conclusion to come to based on one newspaper article which was plainly very poorly researched.

<font face="Verdana, Arial" size="2">He is a a fu|<ing "leech" in my opinion.
The fu<k conjures the memory capacity to criticise hackers, the same people that build the tools he uses to defend himself.
What a \/\/an|<er.
[This message has been edited by nitr0s (edited 28-04-2001).]</font>

I suppose as someone who has posted a few problems to bugtraq, you feel that he is leeching from you in some small way?

ecksor

<font face="Verdana, Arial" size="2">Originally posted by nitr0s:
Well, I don't consider the developers of openbsd "script kiddies"
You didn't directly mention aything to do with openbsd or the developers.
But to me, you've just labelled those kind of people "script kiddies"</font>

Care to reveal the convoluted workings of your mind which produced that reasoning?

<font face="Verdana, Arial" size="2">You may always go back to the IT area, but their will always be people who want to break into computers, and so security goes with the job.</font>

His point was that in the hypothetical situation that these people did not exist, then security professionals would find work in other areas of IT. In the situation you outlined that need wouldn't arise in the first place. You're not making sense.

<font face="Verdana, Arial" size="2">But if people that find problems in existing operating systems and software kept the knowledge to themselves.There would be alot of problems securing any system.</font>

It would make people less confident of the security of their systems, but a lot of people take the attitude that you can't be assured that public facing services (or whatever) are bug free anyway.

There are many techniques for minimizing the exposure that an exploited piece of software will result in, which should be practiced anyway in a lot of situations.

The original article made no distinction between skilled white/grey/blackhats/researchers and script kiddies. You seem to be under the impression that wintermute is making the same grouping also, but he appears to be talking about malicious attackers only.

dahamsta

Although I can see the reason why you're doing it - some of the comments posted were, probably unintentionally, inflammatory - I really don't know why you're arguing. The whole point of the post would appear to point out that the "security consultant" in question is an ignorant fool who knows slightly less about security than your common or garden script-kiddy; and that Irish "technology journalists" - I won't dignify them with caps - know even less about technology.

In what would appear to have been a positively vapid interview, Mr. Hynes suggests among other things that Rain Forest Puppy is a script kiddy. Ok, he doesn't actually say it, but he's "guilty by associating" (sic), in a manner of speaking. Of course, anyone who knows /anything/ - and I /mean/ anything - about security knows that Rain Forest Puppy is a well-repected member of the security community.

He also alludes to the fact that he can track down a cracker just by getting their IP address, and again, anyone with even the most basic knowledge of Internet security knows that even with an IP address, the chances of getting an ISP to associate an identity with that IP are slim and none. Even if the security consultant can do that, it's almost definite that the cracker will have spoofed their IP. If they haven't, they're not a cracker worth worrying about.

I suppose we could excuse the "technology journalist" for publishing trite like this, but it has to be said that a good journalist always researches his or her stories to make sure they're accurate. This technology journalist obviously didn't. All s/he had to do was talk to one reasonably knowledgable system adminsitrator. The ensuing laughter would have put the whole article back in the box quite rapidly.

All I can say is that if this is the kind of person people are putting in charge of security; and the kind of person the meeja are putting in charge of telling the unwashed masses about technology, we're in a whole heap of trouble. I have to say that based on what I have read, there's only one Technology Journalist in Ireland worthy of the caps, and that's Karlin Lillington. The rest just don't understand, and shouldn't try.

adam

ecksor

Was that aimed at me?

I can see that the article is a load of rubbish, I wrote to the editor to share my view of it. I was merely answering the ridiculous statements made by nitr0s.

I have no idea if Mr Hynes is as clueless as that article suggests, after all, as I pointed out, the article was obviously not well researched and who's to say what was quoted out of context or just plainly misquoted. Sentences which appear together in print may not have been said consecutively in person. This is merely giving people the benefit of the doubt, and more importantly, not making judgements based on insufficient evidence.

I don't like your statement "the rest don't understand, and shouldn't try". My main problem with the article (sure, there were technical errors about a mile off the target, but the average joe soap or manager doesn't really care or even need to know about this) was the disinformation contained within. The implication that RFP is a script kiddie or is a threat to security being my main annoyance, and the allegations that korea/brazil are a melting pot of aggressive attackers etc only serve to distort the relevant issues. People need to understand the threats to their assets online. This sort of article doesn't help that, and more to the point, it is disinformation. If people shouldn't even try to understand, as you suggest, then it's a losing battle from the start. These journos, and people in general, should be encouraged to understand.

nitr0s

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
I suppose as someone who has posted a few problems to bugtraq, you feel that he is leeching from you in some small way?</font>

Did I say I was a hacker X_OR?

No, I didn't.

nitr0s

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
Was that aimed at me?

>Was your name mentioned?

>No, it wasn't, so what are you talking about?

I can see that the article is a load of rubbish, I wrote to the editor to share my view of it. I was merely answering the ridiculous statements made by nitr0s.

>I hadn't expected anything less from you.

I have no idea if Mr Hynes is as clueless as that article suggests, after all, as I pointed out, the article was obviously not well researched and who's to say what was quoted out of context or just plainly misquoted. Sentences which appear together in print may not have been said consecutively in person. This is merely giving people the benefit of the doubt, and more importantly, not making judgements based on insufficient evidence.

I don't like your statement "the rest don't understand, and shouldn't try". My main problem with the article (sure, there were technical errors about a mile off the target, but the average joe soap or manager doesn't really care or even need to know about this) was the disinformation contained within. The implication that RFP is a script kiddie or is a threat to security being my main annoyance, and the allegations that korea/brazil are a melting pot of aggressive attackers etc only serve to distort the relevant issues. People need to understand the threats to their assets online. This sort of article doesn't help that, and more to the point, it is disinformation. If people shouldn't even try to understand, as you suggest, then it's a losing battle from the start. These journos, and people in general, should be encouraged to understand.</font>

>Maybe you should become a "journo" you sure like listenening to yourself ;-)

ecksor

Nitr0s, You didn't say you were a hacker, and I didn't say you were a hacker either. Unless I'm mistaken, you have posted problems with software to bugtraq on a few occasions though, and you seem to be suggesting that security consultants are leeching from people who publicise such problems. I also recall the last time you had any contact with me you were trying to get me to develop an idea you had for a piece of software to simulate vulnerable services for use with honeypots.

As for my name being mentioned, it wasn't, which is why I asked who the post was aimed at ...

I think you should learn how the quoting works here to make your posts clearer.

[This message has been edited by X_OR (edited 29-04-2001).]

nitr0s

Well you seemed to understand what I had said when quoting you.I didn't really think it would be that big of an issue.
Also, I am not a hacker, so i've made a few posts to bugtraq, doesn't mean Mr Hynes is leeching of me.I was referring to people who had developed the tools he uses to defend himself, this type of hacker.However it doesn't make RFP a hacker either just because he has posted some problems to bugtraq aswell.Are you a hacker X_OR?
RFP may have highlighted various well known problems to the general public, but does that make him a hacker?
I don't know of any security tools he's developed besides Whisker which is still based on other ideas rolled into one program.
The honeypot idea.. yeah, I recall that chat which happened along time ago, so long, I can't remember when it was, anyway, why bring it up now? I thought you said there was no point in it being developed.
And maybe you weren't capable of developing such an idea.I wasn't either, thats why I asked you.You have yet to develop anything that will convince me you actually are a hacker.Going over well known problems isn't exactly what i'd call research.

ecksor

<font face="Verdana, Arial" size="2">Originally posted by nitr0s:
RFP may have highlighted various well known problems to the general public, but does that make him a hacker?</font>

By the correct use of the term, I consider him to be so. I've not used the word in this thread, because it has been causing confusion due to people's different ideas of what it means. He has done more than highlight "well known problems" as you are saying.

<font face="Verdana, Arial" size="2">The honeypot idea.. yeah, I recall that chat which happened along time ago, so long, I can't remember when it was, anyway, why bring it up now? I thought you said there was no point in it being developed.</font>

I said I wasn't interested at the time (I was on holidays) but you didn't get back to me like I suggested you did. I brought it up because it was an idea for a security tool, which wasn't of particular interest to me, but may have been of interest to others, and you have made reference to people leeching from people who develop such tools.

<font face="Verdana, Arial" size="2">And maybe you weren't capable of developing such an idea.I wasn't either, thats why I asked you.</font>

Listening for incoming connections network connections and sending a banner simulating a vulnerable service is not that tough, really. You could probably have done something similar with netcat. Perhaps you could find someone here with more time on their hands who is willing to develop it.

<font face="Verdana, Arial" size="2">You have yet to develop anything that will convince me you actually are a hacker.Going over well known problems isn't exactly what i'd call research.</font>

You have no idea of what I've developed. I can pretty much guarantee that you wouldn't be overly impressed by most of it, but it doesn't make you any less ignorant of the fact. I'm also not calling anyone a leech, so that is beside the point.

I think the confusion that has arisen here would be solved a lot faster if you explained why you thought the developers of OpenBSD were being called script kiddies. The only interesting possibility for a debate I have seen here is whether or not security professionals are leeches, and you didn't give a clear explanation of who you thought they were leeching from until your last post.

Debating whether either of us is a hacker is just sad, and no one is interested in it. (For the record, I consider myself a wannabie hacker, and maybe one day I'll have learned enough to earn the title).

ecksor

<font face="Verdana, Arial" size="2">I said I wasn't interested at the time (I was on holidays) but you didn't get back to me like I suggested you did.</font>

Apologies, my mistake, you had just left IRC when I suggested that.

yossarin

out of curosity - was the honey pot idea like leaving a tasty looking port open ?

why not just have loads of porn and games on your system - that'll slow down anyone who gets in

Hobbes

<font face="Verdana, Arial" size="2">Originally posted by yossarin:
out of curosity - was the honey pot idea like leaving a tasty looking port open ?

why not just have loads of porn and games on your system - that'll slow down anyone who gets in </font>

yea that's what's normally there too. Can't remember the server, but years ago some big server was getting hacked into. Then one day everyone who logged in was greated with a game to play. While they were playing the game the Feds were tracing the call.

Personally I think that Mr Hynes is just asking for trouble waving his little flag saying "I'm hack proof".

Lord Khan

God I don't know where to laugh or use my "script kiddie" powers to hack his microwave.

it seriously is pathetic, with comments like that who the hell hired that jouranlist in the first place ...

dahamsta

<font face="Verdana, Arial" size="2">Was that aimed at me?</font>

It wasn't "aimed" at anyone.

Please turn the paranoia gain down.

<font face="Verdana, Arial" size="2">I don't like your statement "the rest don't understand, and shouldn't try".</font>

Ok, maybe I was a bit OTT with "shouldn't try". Maybe I should have said that "most of them should just give up". Most Irish "technology journalists" have been writing the same old guff for quite some time now, and will never, ever be technology journalists proper.

Please turn the anal retention gain down.

ecksor

I wasn't being paranoid, I just wasn't sure if it was directed at me in particular (it's difficult to tell sometimes if a post is a direct reply, especially when the post appears directly afterwards.)

With regard to "anal retention", can you point out where exactly you thought I was being anally retentive? I merely shared my view of the article.

rain forest puppy

Honestly, I don't see what all the fuss is about?

ecksor

<font face="Verdana, Arial" size="2">Originally posted by rain forest puppy:
Honestly, I don't see what all the fuss is about?</font>

That's not what the real RFP said.

Ronin

You have to wonder though who was the one who made all the stupid errors in the article, the jurno or Mr H? Cause from reading whats there they haven't an idea what they are talking about..I wonder does Mr H even use a unix distro or is he a 3l33t winblow$ user?

Oh and script kiddies don't keep people in jobs, the need to maintain the systems keeps people in jobs.

Ro.

nitr0s

I didn't say script kiddies kept him in his job.I said the people he described as script kiddies kept him in his job, like the quote of his.
"These kids often wear black, stop shaving and look really scruffy. They use pseudonyms such as rain forest puppy and write hacking tools which they make available on the Web," Mr Hynes says.
This is what HE said.
Now, my idea of a hacker would be the people who write the same tools he uses everyday to defend himself,firewalls, wrappers, port scanners, anything on UNIX given away free basically. Thats why I said that they keep him in his job, although maybe I over exagerated.
One point, If Mr Hynes didn't use anyone elses software, and simply developed his own, then I wouldn't say that he relied on hackers to do his job, but he clearly does.
And he has at the same time criticised them.
His statements remind me of the time mudge quoted several NT admins claiming that UNIX Sys admins"...they smell, and they don't talk to us"
Mudge had a humerous way of saying that, he also mentioned the fact that the openbsd operating system was developed by hackers."Theo's gonna hate me for saying this, but openbsd is made by hackers"
So, Mr Hynes in my view was critical of the genuine hacker and therefore has no clue as to what he's talking about.
HE is the script kiddie.
And maybe it was bad journalism, but they can't quote someone on saying somthing they never said.
I just don't think he can say that the people who develop hacker tools are script kiddies, after all, everyone uses these tools if you have anything to do with computer security.And I don't mean exploits.

ecksor

Ok, that's a lot clearer, and I agree with most of it. Then only thing I'm wary of is this:

<font face="Verdana, Arial" size="2">Originally posted by nitr0s:
I didn't say script kiddies kept him in his job.I said the people he described as script kiddies kept him in his job, like the quote of his.
"These kids often wear black, stop shaving and look really scruffy. They use pseudonyms such as rain forest puppy and write hacking tools which they make available on the Web," Mr Hynes says.</font>

I can't help thinking that these sentences are both fairly reasonable (well, the first one is a useless generalisation, but apart from that ) when taken on their own. They are only annoying and misleading when put together. Now, maybe he said them in that order (in which case he deserves all the criticism you're heaping on him) and maybe they weren't.

<font face="Verdana, Arial" size="2">Now, my idea of a hacker would be the people who write the same tools he uses everyday to defend himself,firewalls, wrappers, port scanners, anything on UNIX given away free basically. Thats why I said that they keep him in his job, although maybe I over exagerated.</font>

Tools such as those are useful tools for a security professional, and can help people to do their job better, but I don't think it's fair to say they're keeping anyone in their job. Use of these tools isn't enough to consider anyone a good security professional for one thing. If someone can get by with just using those tools in some haphazard unskilled fashion, then I suspect that people misinformed enough to hire someone like that would be equally misinformed regardless of the tools being used.

rain forest puppy

I saw Mr.Hynes at the eXpo at the RDS. The Ernst & Young stall he was at had a massive banner: eXtreme Hacking Bootcamp LOL!!! I tried to talk to him but he told me to have a shave and take a bath

Snaggle

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
I consider myself a wannabie hacker, and maybe one day I'll have learned enough to earn the title).[/B]</font>

To me you've already earned the title of wannabe hacker

ecksor

Thanks snaggle