Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet Your Rights Online

The Myth of the Superhacker 305

mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."
This discussion has been archived. No new comments can be posted.

The Myth of the Superhacker

Comments Filter:
  • by yagu ( 721525 ) * <yayagu.gmail@com> on Wednesday April 11, 2007 @03:52PM (#18694679) Journal

    I live in a world where daily I hear people describing their monitor as their computer, and their computer as their "hard drive", or some other such mangled interpretation. That's actually very okay, it's not their job to have to know, and good for them for having some mental map.

    What I find not surprising about the article's conclusions is even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work. Hence, much of the alarm over internet terrorism and superhackers potential to bring the IT world to its collective knees spawns from barely literate computer "geeks". At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape (hmmmm, Peter Principle?).

    • by jimbolauski ( 882977 ) on Wednesday April 11, 2007 @04:02PM (#18694797) Journal
      The solution to super hackers is simple, hot women need to take one for the team and date some nerds, this way their not in their parents basement but our with a real live girl. Girls on the plus side you can walk all over them and get anything you want.
    • by vux984 ( 928602 )
      And it seems the higher up the ladder one goes...

      Who was it that thought interwebs is a series of tubes...? Surely not a Senator chairing a committee on internet commerce... oh wait...
    • Re: (Score:3, Interesting)

      by DynaSoar ( 714234 ) *
      I could easily say the same thing about the people I encounter in science. In particular, the author of this article. In TFA, he defines his term and then deconstructs his own definition. An imaginary straw man. In his linked article on DRM, he calls it empirical despite the fact it's a survey. He draws conclusions despite his admission that it was not statistically significant. It's easy to pull science out of your ass and call it empirical, and apparently to get attention for it, when you're presenting it
    • Re: (Score:2, Insightful)

      by lmnfrs ( 829146 )

      "At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape.."

      You're completely right about that, it is the norm. At every tech job I've had there has been a maximum of 2 levels of superiors being knowledgeable and intelligent. Often, everybody above my immediate boss sounds braindead when trying to instruct their workers. And unfortunately, there are always some worke

      • by Intron ( 870560 ) on Wednesday April 11, 2007 @04:21PM (#18695055)
        I recently suggested to my boss that instead of mailing me web pages that he wants me to look at, he mail me links to the web pages, but I don't think that I got through to him.
        • by Joebert ( 946227 )
          Bosses are tricky creatures, it's much more effective to just do somthing & pretend they're brilliant when they send out a memo informing everyone that they've devoloped a new procedure.
      • At every tech job I've had there has been a maximum of 2 levels of superiors being knowledgeable and intelligent.

        ... about tech. That's because it's your job to know about tech, it' their job to run whatever portion of the company they run. They quite possibly think of you as "knowledgable about computers, and nothing else". I think that it normal for everyone to appear unintelligent or ignorant when their area of expertise is far removed from that of the observer.
    • Re: (Score:2, Insightful)

      by blhack ( 921171 )
      These barely literate computer "geeks" really are the real threat though. They are the type of people how get very frustrated at their own incompetence and do stupid things in order to "prove themselves". Also, the reason that the higher up you go, the lower IT knowledge seems to get is that Skills in IT are almost necessarily inversely proportional to management skills. People who lack management skills are forced to compensate by learning more about computers (in the field of IT i mean), while ones who
    • by Ant P. ( 974313 )
      Argh. If there's one thing I can't stand, it's lusers mincing the terminology. Like calling everything on the screen a "website" - if I hear "wat's dis website" again and see a blank desktop I'll scream.
    • by ResidntGeek ( 772730 ) on Wednesday April 11, 2007 @04:22PM (#18695075) Journal
      It's not just the incompetent that think that way, I'd go so far as to say a vast majority of computer-interested people do. Which is more entertaining to read, and think about: Stealing the Network: How to Own a Continent, with its stories of master programmers writing the best rootkits ever made over the course of two weeks to install on the systems they're about to root with their 0days for the purpose of bouncing their traffic around the internet while they use IPv6 to get around firewalls on Japanese military computers as a test to find out if they're worthy to hack the computers of several African banks for a mysterious man named Knuth in conjunction with a phreak gaining access to an African telephone switch by use of a stolen cell phone so that Knuth can intercept the phone calls of an enemy while a third hacker, who happens to be a very attractive female drunk and recently returned from shagging a random good-looking but smart computer nerd she met at the club while on Ecstasy, uses steganography software to send a message across the globe to a chick she met a while back (who is also a good-looking female computer nerd), all this happening at the same time a 16-year-old college sophomore (with a hot, nerdy asian girlfriend) is pulling a sweet hack involving duct-taping a laptop to the back of a computer cabimet and using it to intercept all traffic to a lab computer for the purpose of concealing his SSN-stealing activities on the school's network so that Knuth can sufficiently conceal his identity for his trip to South America where he'll live comfortably off the interest for the rest of his life, free from any government oppression................ or a study showing that almost all botnets are built using one of two common worms?

      People want something to aspire to, and the idea of the existence of a superhacker controlling every aspect of the internet at a moment's notice is pretty good at taking up brain space.
    • Re: (Score:2, Insightful)

      by aeoneal ( 728354 )
      even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work

      The definition of a "whiz" seems to be "anyone who knows more than I do." Partly this is because people don't understand the subject, but I think mostly it's to bolster our own egos. If the person who knows more is some kind of guru, it's ok that they know more; but if they're just someone who delved a little deeper and perhaps read a few books it casts the know-less/know-no
  • by Trigun ( 685027 ) <evil&evilempire,ath,cx> on Wednesday April 11, 2007 @03:57PM (#18694749)
    The biggest trick Satan ever pulled was convincing the world he doesn't exist
    • Re: (Score:2, Insightful)

      Comment removed based on user account deletion
      • Re: (Score:2, Informative)

        by Anonymous Coward
        The concept and even the name of Satan predates the catholic church by a long time.
      • Re: (Score:3, Funny)

        by marcello_dl ( 667940 )
        > The biggest trick the Catholic church ever pulled was convincing the world he does.

        I can understand doubts about the existence of a god, but this? You mean that after witnessing Windows and the RIAA you still don't believe in the existence of Evil Design? They are way too evil to have happened by chance.
    • by Logic and Reason ( 952833 ) on Wednesday April 11, 2007 @04:12PM (#18694955)
      Actually that quote originally comes from the French poet Baudelaire in the 1864 short story "Le Joueur généreux." The Usual Suspects just popularized it.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      The biggest trick the period ever pulled was convincing you it doesn't exist.
    • Quote? YOU FAIL IT! (Score:4, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday April 11, 2007 @04:27PM (#18695141) Homepage Journal
      It's too bad the quote [dailyscript.com] is "the devil" or you might have gotten yourself some free geek credibility there.
    • Re: (Score:3, Interesting)

      by PitaBred ( 632671 )
      http://www.cs.helsinki.fi/u/hprajani/phun/god-v-sa tan.png [helsinki.fi]

      Screw that. Give me Satan any day.
    • by hey! ( 33014 ) on Wednesday April 11, 2007 @04:43PM (#18695343) Homepage Journal
      St. Augustine has a worthwhile point to make here.

      He was dealing with a fundamental theological problem: how does a good God create a universe in which evil exists. He came up with a novel solution: it's all good, but evil chooses lesser goods over greater goods -- an concept closely akin to the modern economic concept of opportunity cost. You cannot have the capacity to choose without the capacity to choose the wrong thing; if you were forced to choose the right thing all the time then you wouldn't have free will. Therefore free will implies the existence of evil, which is not a thing in itself, but a deficit.

      Dante sharpens Augustine's point in the Divine Comedy: evil is really the result of stubborn, even aggressive stupidity. As outlandish as the punishments that are meted out in the Inferno, they're all pretty much people getting unlimited quantities of whatever it was they pursued in life.

      The Devil, then, doesn't need to exist; at least if he does he has no power of his own. There is no need to believe in the nearly all-powerful devil of neo-Christian folklore. The power of Satan, both biblically and by orthodox theology, lies in the stupidity and stubbornness of humanity. A near omnipotent Devil is not really any better off than a powerless but tricky one because (a) near omnipotence is not very useful when the other side is omnipotent and (b) it is impossible to spread evil (in the Augustinian sense) by the exercise of raw power.

      Which brings us to the Superhacker. There is no need for a hacker to obtain near omnipotent technical skills. In any case people with extremely high levels of technical skills have better uses for them. Instead, a hacker exploits the stubbornness and stupidity of people who own computers. They won't pay competent people to manage them. They'll choose software for superficial convenience. In Augustinian terms they choose the lesser goods of short term cost savings and convenience over the greater good of security.

      • "There is no need for a hacker to obtain near omnipotent technical skills"

        Who says that just beacuse you are at that level you are somehow magically honest? Often times its the thrill of cheating the system that appeals to the upper % of the food chain in the first place.
        • Re: (Score:3, Insightful)

          by hey! ( 33014 )
          It's not that you're magically honest. It's that you have more opportunities than the mediocre, opportunities that are more interesting, equally or more rewarding, and don't involve the risk of going to jail.

          I'm not saying there aren't technically very strong black hats, but they hardly represent the peak of technical skills.

          Can you imagine a Ron Rivest wasting his time devising rootkits? Or Bruce Shneier? That's journeyman work. Yes, it takes some skill, and patience, but is hardly a suitable field for e
          • by nurb432 ( 527695 )
            Oh, but i disagree totally.

            Crime attracts the highest of genius for the sheer challenge.. ( and the scum for easy money, but that isnt what we are talking about here )
            • by timster ( 32400 )
              Crime attracts the highest of genius in the movies. In real life, I can point you to any number of geniuses who took on far greater challenges than any crime... whereas it's rare that a crime is even interesting to read about, let alone a work of genius.
      • by woolio ( 927141 )
        evil is really the result of stubborn, even aggressive stupidity.

        Wow... I should read more... Dantes already knew that our C.i.C would be Evil. I can't exactly call him "Dr. Evil" since he is not educated.
    • Re: (Score:3, Funny)

      by istewart ( 463887 )
      The biggest trick Batman ever pulled was convincing the world he doesn't exist
  • by quokkapox ( 847798 ) <quokkapox@gmail.com> on Wednesday April 11, 2007 @04:00PM (#18694771)

    There are no super hackers out there.

    Disregard that, I suck cocks.

    • Re: (Score:3, Funny)

      by Anonymous Coward
      ...I suck cocks.

      If you're a guy, you should have waited for an Apple/Mac related story. Then, you would have been on topic.

      Mods - that was "Flamebait", the parent was "Troll", "Overated" or maybe "Offtopic".

      On the other hand, if he/she said "Macs are great!" and then said "I suck cocks.", then that would be on topic, although, redundant.

    • by Captain Splendid ( 673276 ) <`capsplendid' `at' `gmail.com'> on Wednesday April 11, 2007 @04:16PM (#18695003) Homepage Journal
      Mods on crack alert. The comment is a direct reference to this bash.org quote. [bash.org] Somebody please sort it out.
      • Re: (Score:2, Informative)

        by mahmud ( 254877 )
        Heh, I thought he was just using one of kevinsmithisms.
  • Hmmm (Score:5, Funny)

    by kildurin ( 938538 ) on Wednesday April 11, 2007 @04:02PM (#18694803)
    I just came from a meeting on this very topic. The thing I came away from this meeting is that the real fear is that the Superhacker works for you. Or worse yet, you let him go yesterday. O. M. G.
    • Re: (Score:3, Insightful)

      by multisync ( 218450 )
      I think it's the exact opposite: the more hackers you have working for you, the less you'll have to worry about a "Superhacker" (or a "Superdentist," or a "Superhairdresser," or a "Superanything") threatening your security.
      • by Joebert ( 946227 )
        Maybe, but what happens when your public relations go down the toilet because you have a bunch of "hackers" working for you ?
        • Maybe, but what happens when your public relations go down the toilet because you have a bunch of "hackers" working for you ?

          If you mean black hats then the 6 people who care will boycott your product.
  • by gbulmash ( 688770 ) <semi_famous&yahoo,com> on Wednesday April 11, 2007 @04:04PM (#18694823) Homepage Journal
    Just as with any other field or profession, hacking is getting more specialized. It's not that the "superhacker" does not exist, but that such an animal's existence is getting harder and harder to maintain merely because of the expanding skillset and knowledge it takes to be a "hack anything" hacker.

    That said, a lot of exploits don't come from being a super techie hacker with the skillz to defeat any system through sheer programming ingenuity or brute force. A lot of them still come from social engineering... convincing foolish people to give you enough information that a middle manager could hack them using nothing more than a standard login.

    Where the "superhacker" mainly exists is in the movies. The guy who can pull out his laptop at any given location and hack into any given location on demand and with no preparation or research into the target. He's the human equivalent of the gun that doesn't run out of bullets and hair that dries into a perfectly coiffed do within seconds of getting out of the water.

    - Greg
    • by businessnerd ( 1009815 ) on Wednesday April 11, 2007 @04:47PM (#18695391)
      Agreed... Kevin Mitnick, as we all know is one of the more famous hackers, yet many argue that it was not his technical skills that made him so famous. It was his social engineering skills. He knew how to extract the right information from the right people so that he could then exploit the system.

      Interestingly, they did make a movie about him, Takedown. While no Oscar winner, I felt is was one of the better hacking movies Hollywood has put out. As opposed to movies like "Hackers" or even "Swordfish", this movie's dialogue actually made sense to those who know the definitions of all of the acronyms (cause it's a true story), and the computers showed on-screen, actually looked like something people actually use.

      But getting back on topic, it's the social engineers that we should all be afraid of. These guys may not be really hackers (at least not in traditional sense), they're really just con artists. You don't need a computer to get pwned.
      • But getting back on topic, it's the social engineers that we should all be afraid of. These guys may not be really hackers (at least not in traditional sense), they're really just con artists.

        Phishing is just a form of social engineering. It doesn't take much technical skill at all... more than my mom has, but way less than I do, and I'm no guru. As a matter of fact, the way most people get pwned is not through a clever worm that finds them and nails them just because they're online. It's by being tr
      • Social engineering. What makes it good is simply that you can actually make it realistic AND entertaining.

        If you take the "technical" side of hacking, it's boring to film. Pages and pages of source or disassembly, lines and lines of shellcode... blech. So we get flashy interfaces that make you cringe when you know what actually should be there.

        SE is a different matter. I mean, think of the ways Eddie Murphy got into various restricted locations in Beverly Hills Cop by inventing some stories and playing on p
  • by davidwr ( 791652 ) on Wednesday April 11, 2007 @04:08PM (#18694891) Homepage Journal
    Nobody knows the superhacker was ever there.
  • A focus of the article is on the over response to the "superhacker" - this is the same knee jerk issue in regular crime. Glorify the criminal - make them all out to be Moriarty calibre - dancing magicians who laugh at us mortals - wheedle about inadequate laws .... rather neat solutions to abrogate your basic security responsibilities ? Fact is that most cybercrime is carried out by fairly basic means but there's an industry of ass covering in pretending otherwise.
  • Um, since when are super skilled under-the-rader hackers a myth? If they're so good that they never get caught, then they definitely ARE "Superhackers". Of course, we wouldn't know if we never hear about them.

    The most advanced hackers will change whatever data they feel like changing, in such subtle ways that no one ever notices. We might not have many (any?) cases of this, but that's the whole point - if you're subtle enough, you'll never get caught.

    My high school still has absolutely zero knowledge of
    • Re:Myth? (Score:5, Funny)

      by Anonymous Coward on Wednesday April 11, 2007 @04:49PM (#18695413)
      "My high school still has absolutely zero knowledge of some of the hacks I pulled, and they never will know."

      FYI Andrew Matecha of Vancouver BC, there is enough information on your band's website and MySpace page to identify you and figure out which school you committed your crimes against. Not that I care, but you might want to think about that before you brag about illegal activity you've participated in.
       
      • I'm well aware of the URL containing my last name on every post I make... ;)
      • Re: (Score:3, Insightful)

        by necro2607 ( 771790 )
        BTW, I didn't say anything about committing crimes. "Not that I care", but calling me out on my full name and city of residence and then claiming some kind of illegal activity when I didn't actually mention as such is a bit slanderous.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      No, it's actually that they aren't looking for you, because the secretary found it and fixed it when she got back from the restroom.
  • by TibbonZero ( 571809 ) <Tibbon&gmail,com> on Wednesday April 11, 2007 @04:11PM (#18694945) Homepage Journal
    Knightmare's "Secrets of the Superhacker"...
    http://www.amazon.com/Secrets-Super-Hacker-Knightm are/dp/1559501065 [amazon.com]
    Who's afraid of a little social engineering?
  • by operagost ( 62405 ) on Wednesday April 11, 2007 @04:15PM (#18694979) Homepage Journal
    I know the Superhacker exists... because he's me. Now, if you'll excuse me, I need to go back to my 3D virtual reality interface, hop on my lightcycle, and infect the alien mainframe with the Michaelangelo virus. If you need me, I'm at IP address 24.75.345.200.
  • by madsheep ( 984404 ) on Wednesday April 11, 2007 @04:16PM (#18694999) Homepage
    Before I move onto the title of my post, let me just say Kevin Mitnick.

    Sure it's an old example, but it is also a great example. Maybe he didn't go releasing chaos in every category, but for a public example this is a pretty good one. Look at the stuff he got into and ahold of. These articles burned my eyes so I couldn't read the all three parts or even all of part one. Sorry, but one other thing -- where exactly is all this concern and discussion about a super-hacker? How can it be overblown, overhyped, etc? I don't hear anyone talking about a super-hacker.
    • let me just say Kevin Mitnick .... Look at the stuff he got into and ahold of


      Which "stuff" was that? A list of credit card numbers everyone on Usenet had? Some source code Sun gave away for free to academic institutions?

      You know, he could also whistle the launch codes in to a telephone to start a nuke-you-ler war.
  • Ohm's Law (Score:4, Funny)

    by tjhayes ( 517162 ) on Wednesday April 11, 2007 @04:22PM (#18695067)
    Law School professor Paul Ohm
    I wonder if he teaches Ohm's Law?
  • by fahrbot-bot ( 874524 ) on Wednesday April 11, 2007 @04:26PM (#18695125)
    I tried to run a "whois 'Paul Ohm'" like they did in the movie "The Net", but it didn't give me picture of his employee ID badge. What gives? Perhaps if I hit the Esc key a few times, I can hack into his computer and get it...

    I can't imagine where people get all these ideas about "super hackers" and the like. Now where are my VR goggles? I need to hack a Cray using this pay phone down the street...

    • Re:Whois Paul Ohm? (Score:5, Interesting)

      by digitalhermit ( 113459 ) on Wednesday April 11, 2007 @04:40PM (#18695309) Homepage
      All it takes is a little ignorance.. There's a saying that goes, "The man with one eye is king in the kingdom of the blind." I'm hardly a guru and know about as much about DNS, TCP/IP, networking and operating systems as the next career IT guy. But it's cool how things get started..

      At one company I was asked to "break into" a Windows machine. The previous user had left and only he had the password. He was not on speaking terms with the company. Luckily, the user had given me the password to another system. Even luckier, he used the same password. So after about fifteen minutes of making myself look busy, I tried his password and got in. No one asked how I was able to get in; everyone assumed that I was able to hack the system.

      At another company there was a dusty router that sat in a rack. One day it stopped working. They'd tried power cycling it (their usual troubleshooting step), but that didn't work. So I went in, unplugged it for a few minutes, plugged it back in. I was looking through the manual for a troubleshooting guide when someone comes over and congratulates me.

      Richard Feynman had a similar story but it involved safe cracking. And most people know the joke about the plumber, the punchline being, "but knowing where to hit costs $300." Forget the latter, it's not relevant...

      Anyhoo, the point I'm making is that it's easy for people to mistake dumb fool luck and bullshit for real expertise. I know this firsthand.

      • There's a saying that goes, "The man with one eye is king in the kingdom of the blind."

        I thought it was "In the kingdom of the blind, the man with one eye is totally fucked when the sun sets since the blind don't have lamps". I once even read a short story that explored the idea.

        That's my random comment for the day. There's certainly insight to the saying, which like most sayings aren't meant to be taken literally.
  • control (Score:5, Insightful)

    by wall0159 ( 881759 ) on Wednesday April 11, 2007 @04:45PM (#18695373)

    Hackers, terrorists, drug dealers, child molesters, communists:

    Useful tools for the control of a fearful and gullible populace.
  • This guy who is a suppossed specialist in computer crime apparently never spent time being a security admin for a network. You know, those guys who spend all day making sure servers and workstations are patched, passwords follow policies, exploits are kept track of, logs analyzed, IDS/IPS systems are up, running and monitored. Who go to sleep at night worrying where the next one is coming from?

    He doesn't see large outbreaks as often as before because of people like that. They stay on top of all these thi
  • Unfortunately a lot of laws and rules are created and govern the masses based on the few.

    And not just at the inconvenience of the few, but rather of the many. Does it make sense? Only if you think that by forcing everyone to do less you can restrain the ones that don't care about the rules.

    Oh wait, that doesn't really make sense either . . . well so much for thinking about it, let's just blindly follow . . . Patriot Act FTW!

  • by dbIII ( 701233 ) on Wednesday April 11, 2007 @05:04PM (#18695577)
    The guy is aware that the word superuser already has a meaning but wants to invent a new meaning for it. I've seen this behavior a few times with other words being redefined by other people to cause confusion. Is this sort of stupidity common in US Universities now?

    The last thing we wnat is this term misused in a law somewhere or even in popular usuage. Some poor sod getting dragged off by security after being heard uttering what will be the suspiciuous words "I'll have to get superuser access" is some stupidity we can live without.

    Other than that there are good points - he's talking about the mythical "cyberterrorist" (also a bad word due to distinct lack of angry robots with bombs - but at least it doesn't already have a meaning).

  • by MattW ( 97290 ) <matt@ender.com> on Wednesday April 11, 2007 @05:13PM (#18695671) Homepage
    The first mistake is to think that anything mentioned even requires you to be a "superhacker". Identity theft is trivial. Stand on a street corner and say you're registering people for a contest, and put name, address, social security number on the form, and 90% of people who stop to fill it out will just put their SSN down. Stealing "software" and "media" hardly makes you a superhacker; hundreds of thousands of people do it every day, 99% have probably never even compiled a program. Virus writing isn't difficult either; it's finding the hole to exploit in the first place that CAN be difficult. But given an exploit, turning it into a virus isn't that tough.

    Even when we take it up a notch and look at actually dangerous attackers, like people using widespread vulnerabilities to deploy custom rootkits, we're not talking about superhackers.

    Then there's a class of people who, if they are inclined to be lawbreaking and antisocial, are superdangerous. Take a look at someone like Michal Zalewski [coredump.cx], who's been pumping out advisories, proof of concepts, and gems like a hobby OS for...well, a long time. Can you imagine him in the wild as a black hat? Ugh, scary.

    Then there's real superhackers. One former coworker built a railgun for fun, cracked DES (key recovery in 24 hours on a p3, given certain fairly common preconditions), cracked the remote management on a major commercial firewall (because we lost the password, and it was easier than going offsite for password recovery), then founded a security company, got rich when they got bought out, and moved onto toy around with things for nasa and the DoD. So, if someone like somehow finds their way onto - and stays on - a black hat path, well, the mere fact that securing something is harder than cracking it means he will always find a way in, if he wants to badly enough. I think they'd have to be unbalanced to stay black hat, since that sort of talent will either get them illegitimately rich enough that they'll avoid danger, or get them legitimately rich enough that they'll give up black hat activities to go legit.

    But identity theft? Please. Peanuts. They're more likely to use large scale espionage to find some valuable nugget; perhaps upcoming M&A activites. Then they sell this info to a third party with plausible deniability and a lot of cash - say, George Soros (not that I'm saying he'd buy, but for example) - and let them profit massively off it and take a kickback. Just one significant score like that should be worth 7-8 figures. That's just one example out of a hundred scenarios where a true uberhacker could illegitimately profit. And they'd almost certainly only do it once, if money was their motivation.
  • A Million Monkeys. (Score:3, Insightful)

    by Kaenneth ( 82978 ) on Wednesday April 11, 2007 @05:27PM (#18695813) Journal
    If a million monkeys could eventually happen to write Hamlet, a million typical users could eventually crack important network security. ...redacted document files retaining undo information, poor password choices, nigerian scams...

    the more difficult a security system is to use, the greater the chance it won't be used.

    employees will write client information and passwords on paper, allow others to use use their accounts, or hit 'yes' to every prompt.
  • So very wrong (Score:5, Insightful)

    by lostboy2 ( 194153 ) on Wednesday April 11, 2007 @05:33PM (#18695877)
    I read the abstract of his paper, read the beginning of TFA and skimmed as much of the rest as I could stand and I have to say this guy is so wrong it feels like my head and heart are going to explode. There's no way I can do justice to how wrong he is, and this is going to devolve into flamebait, so I'll just pick a few points:

    For example, law enforcement officials talk about the spread of zombie "botnets" to support broader computer crime laws.
    Yes, governments and law enforcement agencies use fear tactics to support broader crime laws and curtail civil liberties. Guess what, that's not the doing of IT professionals and computer security experts. Governments and law enforcement agencies have been doing that long before there were computers.

    We know that the Superuser's power is often exaggerated for three reasons:
    First, some statements of Superuser harm are so hyperbolic as to be self-disproving
    So, because some people exaggerate the problem, there is no problem?

    Second, experience suggests that some online crimes are committed by ordinary users much more often than by Superusers.
    Emphasis mine. So, again, does that mean we shouldn't be concerned about people who DO have the skills to do serious damage? What was that about the ASUSTek website being hacked [com.com]? Was that done by an "ordinary user"? And you're saying that Bob from Accounting is responsible for all of those 0-day exploits? Great, I'll go bash him right now.

    The third way to dispel the Myth is through studies and statistics. As one very recent example, Phil Howard and Kris Erickson of the University of Washington released a study which found that sixty percent of reported incidents of the loss of personal records involved organizational mismanagement, while only thirty-one percent involved hackers.
    Ah, so 31% is negligible. By that reasoning, I don't have to pay any taxes this year. Plus, that's only one study about reported incidents. How many people reported when their PCs were infested with a virus or trojan? Who would you even report that to?

    I've seen new Windows XP computers plugged into a network get pwned before you could finish going through the Windows setup wizard. The reason stuff like this doesn't result in "loss of personal records" is because IT professionals and security experts put in a s**tload of effort to make sure it doesn't. But IT professionals and security experts can't prevent a PHB from putting sensitive info onto a laptop and then taking it home only to have it stolen.

    There has never been a death reported from an attack on a computer network or system.
    Yeah, well, I work in a hospital. Every time there's a large-scale problem with the network or enterprise system, it seriously affects the staff's ability to perform their duties. That translates to worse care for the patients. So, do you want your hospital to be running smoothly or not? Do we have to wait until someone IS killed to take security seriously?

    In stark contrast, experts in the field of computer crime and computer security are seemingly uninterested in probabilities.
    The problem is that so-called computer experts tend to have neither the training nor inclination to approach problems statistically and empirically
    Buddy, I'll take Bruce Shneier's assessment of security over yours any day.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...