as an official standard, Doug asked readers about their thoughts
on interoperability and Microsoft's standards play. The outlook isn't very optimistic:
Redmond's history with standards development and interoperability has
ranged from a high of poor, to a low of deliberate sabotage. While I find
it amusing that everyone sees this as a move to a more open, competitive,
software environment, it is still inconsistent with Microsoft's business model.
In the history of man, there has never been an altruistic monopoly. No reason
to expect one now.
I have old 16-bit Windows Write files that NO later MS editor displays
right. Not WordPad, not WinPad, not Word for Win 95 or Word 97 or Word 2000,
nor the Win 95 Write stub -- only old Win 31's original Write.exe seems able
to display or print those critters the way they were originally designed to
look and print. It'd be really refreshing if Windows 7 could offer some means
of displaying and printing these correctly again -- and maybe even editing
On another tack, it would be nice if whatever IE MS includes in Windows
7 would let itself be closed even when (indeed, especially when) not
all tabs have finished loading. Currently, the only way I can close IE 6 (in
XP) or IE 7 (in [ugh!] Vista) before everything has finished loading is to
kill its process with Process Explorer. I'm not holding my breath, though,
on either count.
I also read this Newsweek article and I think he is right on the
money. If I were hiring someone to help with our security, I would place high
value on someone that had a clear understanding of hacker methodologies.
I sat in on a Microsoft Tech-Ed session on security once. It was conducted
by a Microsoft security professional who obviously knew how hackers operate.
I think this knowledge would be essential to a competent security professional.
Keep your friends close and your enemies closer. Yes, teach hacking.
Is it wrong to teach hacking techniques? If it is, then every police officer
is a criminal. Every computer science student needs to learn how to attack
a system. Otherwise they will not know how to defend against it or recognize
And for a very bad reference, look at Bruce Wayne in "Batman Begins."
He could not understand the criminal mind until he became one.
How about looking at this question from a slightly different point of
view? How many good security analysts out there do not understand how the
attacks are committed? Zero. There aren't any. It is their business to know
how the attacks happen, and thus how to protect from those attacks.
Anybody can follow a list of best practices, but it takes people who
understand the attacks to be able to write and change those best practices,
and to understand how and under what circumstances you can deviate from those
Like you, I believe the only way to fight hacking is to know hacking.
I believe learning hacking techniques is vital to anyone wishing to have a
career in computer security. Look at it this way: Wouldn't everyone like to
have some inside knowledge of their competition? Sports teams spend huge amounts
of time studying their competition. Companies are in a constant struggle to
not only find out what the competition is up to but to figure out how to be
one step ahead of them, as well. Why shouldn't we as computer security professionals
use the same techniques against our competition?
Learning hacking techniques has drastically changed my role as a network
administrator. When I prepare to publish a new application on my Web site,
it is no longer enough to simply make sure it looks good and functions properly.
The first thing that comes to mind is whether the application is vulnerable
to cross-site scripting attacks or buffer overflow attempts, and whether all
user input is properly validated and sanitized. Thanks to my knowledge of
hacking, I now look at everything I do from the perspective of my competition.
If you think that is a bad thing, then be prepared. Because your competition
is going to walk all over you -- and your network.
I think you are absolutely on track. The outrage being expressed against
Ledin seems to fall into two camps. There's the Atomic Bomb Theory, which
says that making this information available to the student base greatly increases
the dissemination of knowledge that could otherwise be contained. Sort of
a Malware Non-Proliferation Treaty. However, the vast amount of malware out
there from disparate sources refutes this supposition. The people out there
that we need to worry about already have ample access to this information.
Then, there's the Secret Algorithm Theory. This is hinted at in the article,
where the state of malware protection is compared to that of cryptography
some decades ago. It was discovered that "secret" algorithms seldom
stay secret for long, and the real strength is known algorithms that are tested
on many fronts and still survive. In short, true security consists of finding
the risks and applying a disciplined approach to destroy them without mercy
(my true feeling on malware leaking through a bit). I would hazard a guess
that the major security players have internal training very similar to what
Dr. Ledin is offering at Sonoma State University. If there is any justice,
he will years from now be remembered as a leader in the emergence of computer