Security is heavily influenced by the inner workings of the (human) mind. We all know about social engineering and tricks used by con men. The game of smoke and mirrors now hits the „uncontrolled spread of hacking tools“. We have already pointed out that the European Union is preparing a proposal for „banning“ „hacking tools“. There is now a case on-line where a print magazine was allegedly removed from the shelves of Barnes & Noble. Apparently the cover story was too dangerous, because it announced how to „teach you to break into networks, exploit services running remotely, beat encryption techniques, crack passwords, and more.“ The real dark side of this story is that these skills are discussed at most self-respecting security conferences. These skills are even part of a very basic job description in the field of system administration. Universities teach classes covering very similar topics.
How did the editors of the magazine react? They put the cover story on-line. While the countermeasure circumvents the censorship of the book shelves, it doesn’t address the deeper mindset problem at work. The discussion about dual-use goods is very old. We have seen the crypto wars (which may be resumed again), we have the discussion of introducing backdoors to software (again and again), and now the discussion turns to „hacking tools“. No matter how many rules you might think of, the problem stays in the mindset. This is exactly why criminal intent comes into play. You can subvert a lot of harmless tools to do bad things. This doesn’t start with the Internet, software or computer hardware. It starts with screwdrivers, axes, words or brilliant ideas. We know, this is no news, the range of „hacking tools“ is vast. We just hope that removing educational literature from book store and the Internet won’t be a new trend. Otherwise we will need to host future DeepSec events at secret locations. Come to think of it, we might adopt some rules, too.
- You do not talk about SECURITY RESEARCH.
- You DO NOT talk about SECURITY RESEARCH.
- If a code says “stop” or goes limp, taps out the research is over.
- Only two hackers to a research.
- One research at a time.
- No NDAs, no lawyers.
- Research will go on as long as it has to.
- If this is your first night at SECURITY RESEARCH, you have to hack!
Let’s hope we never get there.