Barney's Blog

Blog archive

Mailbag: Interop Future

After it was announced that Microsoft's OOXML has been approved as an official standard, Doug asked readers about their thoughts on interoperability and Microsoft's standards play. The outlook isn't very optimistic:

Redmond's history with standards development and interoperability has ranged from a high of poor, to a low of deliberate sabotage. While I find it amusing that everyone sees this as a move to a more open, competitive, software environment, it is still inconsistent with Microsoft's business model. In the history of man, there has never been an altruistic monopoly. No reason to expect one now.
-Anonymous

I have old 16-bit Windows Write files that NO later MS editor displays right. Not WordPad, not WinPad, not Word for Win 95 or Word 97 or Word 2000, nor the Win 95 Write stub -- only old Win 31's original Write.exe seems able to display or print those critters the way they were originally designed to look and print. It'd be really refreshing if Windows 7 could offer some means of displaying and printing these correctly again -- and maybe even editing them.

On another tack, it would be nice if whatever IE MS includes in Windows 7 would let itself be closed even when (indeed, especially when) not all tabs have finished loading. Currently, the only way I can close IE 6 (in XP) or IE 7 (in [ugh!] Vista) before everything has finished loading is to kill its process with Process Explorer. I'm not holding my breath, though, on either count.
-Fred

And readers share their thoughts on George Ledin, a professor who teaches his students hacking techniques -- and apparently gets a lot of grief for it.

I also read this Newsweek article and I think he is right on the money. If I were hiring someone to help with our security, I would place high value on someone that had a clear understanding of hacker methodologies.

I sat in on a Microsoft Tech-Ed session on security once. It was conducted by a Microsoft security professional who obviously knew how hackers operate. I think this knowledge would be essential to a competent security professional.
-Anonymous

Keep your friends close and your enemies closer. Yes, teach hacking.
-Milton

Is it wrong to teach hacking techniques? If it is, then every police officer is a criminal. Every computer science student needs to learn how to attack a system. Otherwise they will not know how to defend against it or recognize such attacks.

And for a very bad reference, look at Bruce Wayne in "Batman Begins." He could not understand the criminal mind until he became one.
-Brian

How about looking at this question from a slightly different point of view? How many good security analysts out there do not understand how the attacks are committed? Zero. There aren't any. It is their business to know how the attacks happen, and thus how to protect from those attacks.

Anybody can follow a list of best practices, but it takes people who understand the attacks to be able to write and change those best practices, and to understand how and under what circumstances you can deviate from those practices.
-Dan

Like you, I believe the only way to fight hacking is to know hacking. I believe learning hacking techniques is vital to anyone wishing to have a career in computer security. Look at it this way: Wouldn't everyone like to have some inside knowledge of their competition? Sports teams spend huge amounts of time studying their competition. Companies are in a constant struggle to not only find out what the competition is up to but to figure out how to be one step ahead of them, as well. Why shouldn't we as computer security professionals use the same techniques against our competition?

Learning hacking techniques has drastically changed my role as a network administrator. When I prepare to publish a new application on my Web site, it is no longer enough to simply make sure it looks good and functions properly. The first thing that comes to mind is whether the application is vulnerable to cross-site scripting attacks or buffer overflow attempts, and whether all user input is properly validated and sanitized. Thanks to my knowledge of hacking, I now look at everything I do from the perspective of my competition. If you think that is a bad thing, then be prepared. Because your competition is going to walk all over you -- and your network.
-Steven

I think you are absolutely on track. The outrage being expressed against Ledin seems to fall into two camps. There's the Atomic Bomb Theory, which says that making this information available to the student base greatly increases the dissemination of knowledge that could otherwise be contained. Sort of a Malware Non-Proliferation Treaty. However, the vast amount of malware out there from disparate sources refutes this supposition. The people out there that we need to worry about already have ample access to this information.

Then, there's the Secret Algorithm Theory. This is hinted at in the article, where the state of malware protection is compared to that of cryptography some decades ago. It was discovered that "secret" algorithms seldom stay secret for long, and the real strength is known algorithms that are tested on many fronts and still survive. In short, true security consists of finding the risks and applying a disciplined approach to destroy them without mercy (my true feeling on malware leaking through a bit). I would hazard a guess that the major security players have internal training very similar to what Dr. Ledin is offering at Sonoma State University. If there is any justice, he will years from now be remembered as a leader in the emergence of computer security engineering.
-David

Share your thoughts! Leave a comment below or send an e-mail to [email protected].

Posted by Doug Barney on August 20, 2008


Featured