GCN August 10, 1998
Hackers, feds say govt. net security stinks
By William Jackson
LAS VEGASHackers and feds faced off at the Black Hat Briefings last month but
also found they had something in common: a lack of respect for the governments
network security tactics.
In general, we dont have a clue what the threat is and what ought to be
done about it, said a Defense Department employee who identified himself only as
Everybody basically does whatever he likes, said Marcus Ranum, a former
hacker who characterized himself as a white hat.
Thats one of the reasons government security is so lame, Ranum said.
Ill believe the government is serious about security when somebody at the
Pentagon gets fired.
The briefings brought hackers face to face with public- and private-sector systems
administrators for two days of talks. Most panelists were identified by handles or first
names only. The federal session barred photographers.
The hacker panel, despite casual attire, nevertheless represented corporate officials
and consultants. Ranum, for instance, is president and chief executive officer of Network
Flight Recorder Inc. of Woodbine, Md., a network monitoring tools maker.
One hacker, identified only as Artimage, said, Right now Im a college
student, so Im doing it for the grade. But next year, Im in it for the money.
Im a whore; I admit it.
For the most part, the panelists presented themselves as ethical hackers who
distinguished between breaking into systems and breaking code to identify weaknesses.
The only people who really break into machines are malicious kids, said a
hacker who called himself Peter.
The federal participants had even more complaints about government security practices
than they did about hackers.
A lot of managers have no idea where to start looking for vulnerabilities,
said a government auditor who identified herself as Ceil.
I have become very cynical about the people who manage government systems and the
vendors who are selling them things to secure those systems. You wouldnt sell a
Porsche to a 3-year-old who wanted a Matchbox car, but thats what theyre
doingselling Porsches to dumb little 3-year-olds, Ceil said.
She said parochial attitudes and stovepipe mentalities within agencies make it
difficult to assess problems, let alone find solutions.
One federal employee, who performs vulnerability assessments for the Defense
Information Systems Agency, defended government security efforts.
Weve got old management with old ways of thinking who need to be
educated, he said, but the government is not sitting idly by.
Flaws are getting identified and closed, he said. Its a problem that is
never-ending. Congress is throwing a lot of money at it.
Making a system Internet-accessible is asking for trouble, said a hacker identified as
There should be liability for not doing due diligence on your system when
youve invited people in to take a look, he said.