Hacker Jeff Moss Sworn Into Homeland Security Advisory Council

Wolfgang Kandek writes "Hacker Jeff Moss, founder of computer security conferences DEFCON and Black Hat, has been sworn in as one of the new members of the Homeland Security Advisory Council (HSAC) of the DHS. Moss, who goes by the handle 'the Dark Tangent' says he was surprised to be asked to join the council and that he was nominated to bring an 'outside perspective' to its meetings. He said, 'I know there is a new-found emphasis on cybersecurity, and they're looking to diversify the members and to have alternative viewpoints. I think they needed a skeptical outsider's view because that has been missing.'"

DC = suits = Borg

[h00manist]

Either he resigns in disgust or becomes assimilated.

Good for the council

[Tyrun]

This is actually a great step forward. Why not have some of the best hackers review our current practices?

Good luck with that, Jeff

[Jawn98685]

Seriously. I have no doubt that Jeff has the chops and the "perspective" that has definitely been "missing". I watched the eyes of Richard Clarke and his entourage glaze over at a "town hall" meeting with the "President's Critical Infrastructure Protection Board" (or whatever they called it then) in Portland about 8 or 9 years ago, as some very smart security folks told them what was coming and what needed to be done. Honestly, I don't know if they just couldn't grasp the issues or if they were more interested in political play, but the message was quite plain; "the government" was going to be no help in securing things. Political inertia being what it is, I doubt that much as changed, the current administration's well-meaning efforts notwithstanding. Jeff is in for a frustrating ride, I fear.

Re:More change for the US

[BitZtream]

Well, if you stop looking at it as a insult to your team, and more as nothing more than a joke, it was pretty funny. I voted for Obama, and I still thought it was funny as shit.

But ... lets be realistic here, the jury is still out on intelligent and competent, I've seen nothing in particular so far to make me believe he is truly any different. Its practically impossible to tell this early on how its going to play out, you really don't know his agenda yet, just what you're supposed to think it is.

Re:DC = suits = Borg

[h00manist]

I've heard of various friends working in governments of threats, bribes, and turning a blind eye. Having a voice is great of course, and resigning in disgust is proper use of that voice. But to stay inside and really use your voice means either being threatened with being fired (at best), or saying things that you are allowed to, meaning, what was approved, not the full unabridged truth. If they let him in on some scope of attacks that happen all the time, say he is going to be helping, and offer him a salary and future "upgrades", he'll want to say. Perhaps he'll find out something about how the security/surveillance works, or something or other, not agree with it, and wish to denounce it. The choices will be laid out.

Re:Maybe Jeff can explain this

[Tweenk]

The password is not encrypted, it is cryptographically hashed (encrpytion is two-way, hashing is one-way). A hash function transforms an arbitrary length input into a fixed length output, so there is no inverse function in the mathematical sense: a single hash value has an infinite number of inputs corresponding to it. Finding a value that produces a given hash is extremely hard: a good hash function will not have any way of computing such a value more effective than brute force (e.g. you try all possible inputs until one of them given you the hash you're looking for).

As for reversing the algorithm: in essence, the generation of the password hash always uses a stateful generator, and this state is not preserved in the hash. When trying to reverse the hash, you must know not only the hash but also the state of the generator at the end of the algorithm, otherwise backtracking to the initial state of the generator defined in the hash function definition can take more than the age of the universe, even if you used all the computing power on earth to break this single password. Another mathematical idea that is frequently used is that if you have two very large prime numbers x and y, you can quickly compute their product z, but you can't easily find x and y if you only have z. Unless you have a quantum computer, which doesn't exist yet.

Real world analogy: it's nearly impossible to find two persons with the same fingerprints, but the fingerprints themselves don't contain any infromation about the name of the person. If you have a fingerprint and a person, you can easily identify if it the fingerprint belongs to the person, but if you only have the fingerprint, you need to check the fingerprints of all people to find a person that has the same fingerprint.

Re:More change for the US

[Anonymous Coward]

I don't think the jury is still out on intelligent, at least. He did go to an ivy league school, and his daddy wasn't in politics, or rich. He also didn't just barely scrape by with C's, he graduated with honors. Oh, and then he's written his own books (as opposed to authorizing other people to write them, like most politicians). You could argue that the jury is still out on "different" and even "competent" but I don't think you could seriously make an argument that he isn't intelligent.

Not quite

[WilliamBaughman]

I'll take the bait. The phrase "poacher turned gamekeeper" refers to someone who now protects the interests they previously attacked. Jeff Moss never (in public knowledge) attacked the security of the United States. He has exposed weaknesses in various security systems, but that's often considered helpful. It would be more like a naturalist with a BA in Criminal Justice turned gamekeeper.

Re:DC = suits = Borg

[crush]

Give me a break. It's another talented, unethical scumbag joining up with the even bigger scumbags in government so that they can fuck us over more efficiently. Immunity and privilege for him, surveillance for the rest of us.

Re:Not quite

[_Sprocket_]

The name of the House Committee escapes me, but they do yearly reports on computer security and gov't agencies regularly get Ds (up from their previous Fs).

The big question is what do these grades really mean? Do they really provide any true indication as to how effective the Government is at securing their systems? Is a 'D' all that much better than a 'F'? And what does it mean if an organization manages a 'B' (mine did)?

But at the same time, I get a feeling that it sort of does give an impression as to where things are. A 'D' just isn't all that great. But it is better than a 'F'.

My little nook of the Fed world improved over the years. Infosec took on new meaning when the top of the Fed hierarchy started throwing around requirements and putting on their serious face. I would imagine things ARE getting better all in all. It's just darned hard to tell how much better.

http://csrc.nist.gov/groups/SMA/fisma/index.html [nist.gov] demonstrate its compliance with the security requirements as opposed to how well the requirements are actually implemented.

NIST Special Publication 800-53 is what I had in mind. It's generated a ton of work for contractors to bring in auditors. And in my (limited) experience, it's a great opportunity for someone with no infosec background to "get in to security" as auditors are simply required to follow the documentation. Said documentation can be turned on it's ear by a sufficiently adept beurocrat in some cases (and avoided if your auditor isn't too technical in others). But despite my cynicism... it's something. There ARE some good practices in that document. And NIST has put out some nice automated scripts to help hash it all out (best keep an eye on what its doing though). So it's not ALL bad. Just not great.