'Re: Gently nurturing the misguided hacker with baseball bats'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: Gently nurturing the misguided hacker with baseball bats
From:       Vin McLellan <vin () shore ! net>
Date:       1999-03-24 7:07:28
[Download RAW message or body]

[I've been censoring this thread since it wasn't purely cryptography
related and since I had heavy skepticism about the original report
(which made it through to "Cryptography" some months ago. However,
this particular message is sufficiently interesting as a followup that
I'm letting it -- and only it -- through. --pm]

        Winn Schwartau reported the comments of "Lou Cipher" (a pseudonym of
Mr. Cipher's choice), whom he identified as a "senior security manager at
one of the country's largest financial institutions."

>> "We have actually gotten on a plane and visited the physical
>> location where the attacks began. We've broken in, stolen the
>> computers and left a note:  'See how it feels?' " On one occasion,
>> he says: "We had to resort to baseball bats. That's what these
>> punks will understand. Then word gets around, and we're left
>> alone. That's all we want, to be left alone."

        I growled about this on another list when it was first published,
expressing great skepticism about the report. 

        I was subsequently contacted by a friend -- a old pro in computer
security -- who told me he had met "Mr. Cipher" and confirmed that the
gentleman did indeed hold the type of position Mr. Schwartau described. He
also confirmed that "Mr. Cipher" did indeed claim to have taken this sort of
direct (and overtly illegal) action -- as unrealistic as it seemed to me and
others of similar bourgeois bent.

        What seemed unlikely to me was that a reputable institution would
place itself at risk by condoning such actions, or that a guy bred to
corporate CYA ethics would place his job on the line by ordering such actions.

        OTOH, I and many others have seen "competitive analysis" ops in
major US corporations turned loose with little in the way of operational
guidance but a requirement that a team of freshly-suited ex-spooks produce
results. I've also seen major computer companies offer lucrative consulting
assignments to almost anyone who could obtain for them closely guarded
technical information (from or about competitors.) 

        I'm also familar with corporate security ops in a variety of
industries (Big Oil, aerospace, defense procurement) which seemed to
routinely run amuck.  I'm also of the informed opinion that maybe one in
five of the telephone taps set up by US police are actually legal.  

        So _why not_ a network manager who thinks like a wildman?  Where is
it written that understanding RADIUS or network topology confers common
sense, or good judgement?

        Where management rewards results -- and makes a point of not knowing
how results are obtained -- I'm can easily see free-lance rent-a-cops being
given such a vigilante assignment against a hacker.  Given the horrendous
cost of cleanup after an acknowledged hacker intrusion (even when no overt
damage is done!) it could easily be cost-effective.

        I'm almost more surprised that it apparently works, at least
according to "Mr. Cipher."  I don't know why I expect a vandal, thief, virus
writer, or hacker to have "courage of convictions" -- or some equivalent
source of courage and constancy -- when he is physically hurt, confronted
with tangible and costly losses, or faced with believable physical and
economic threats. 

        These guys are, in fact, creatures of the shadows, likely to suffer
severe shock if they are just identified and confronted -- maybe all the
more so, if they go nose to nose with someone who is not constrained by the
niceties of the Law.  

        The truth is, smart anti-hacker vigilantes are probably no more
likely to be identified or caught than the typical car thief or other
street-savvy crook. Good odds -- maybe even the basis for a viable business
plan.  The automated Payback software that Winn's article seemed to tout as
locked and loaded in the IT armory of many major corporations would seem to
be far more risky, given the quality of authentication on the Net today.

        The executive who issues a contract for such a physical attack would
seems to be most at risk from his hired vigilantes, or anyone else who could
finger him and his firm. I'll bet, however, there are spook protocols in
some CIA manual for getting this sort of business done at arm's length. No
direct contact. No proof as to the source of funds. The vigilantes would not
even have to know who they are working for to get the message across with a
certain air of self-righteousness.

        Surete,
                _Vin

-----
      Vin McLellan + The Privacy Guild + <vin@shore.net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                         -- <@><@> --

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic