While writing my column earlier this week I got mad at the organizers of this weeks Black Hat conference in Las Vegas.. After all, why try to train people to write the worst, most invasive and difficult to defend against attack software?
Their main argument is that security professionals need to understand attacks, even the worst ones, if they are to defend against them. Even if theres clearly something to it, Im not sure the argument completely works. I just dont like the idea of so openly spreading knowledge on such potentially destructive technologies.
At the same time, a more comprehensive look at Black Hats sessions shows a picture of useful, interesting and undeniably legitimate training. Theres a wealth of information covering computer forensic examination and how to secure your network against general and specific threats, as well as postmortems on recent security incidents and evaluations of prominent products. Speakers at the conferences have included representatives from Microsoft, law enforcement officials, and even the Special Advisor to the President for Cyberspace Security. For more information take a look at Black Hats archive of presentations notes and videos of past conferences.
Still, on the flip side, theres the rootkit class I mentioned earlier. And the session on how to exploit DCOM. And how to write Cisco IOS exploits. I would feel a lot more comfortable with exercises such as these if they were always accompanied by information on how to defend yourself against the attack.
For instance, theres the class "Attacking and Securing UNIX FTP Servers." This one-sided training reminds me of the people who publicly release exploit code for a vulnerability before it has been patched. Such people are part of the problem in spite of their puerile excuses. Just because people ought to look where theyre going doesnt make it right to throw banana peels on the sidewalk. If someone trips you are to blame.
When I was younger, there was a time when I wanted to become a locksmith, and I still like to tinker with locks. Im sure some percentage of the people who attend locksmith vocational and technical schools do so intending to use their knowledge in the pursuit of crime. Same thing for people who learn about alarm systems. Im sure everyone in the business just accepts this situation, since you cant read peoples minds when you train them. You have to hope they will be honest.
And even though a good locksmith must think like a burglar in order to make a building really secure, I really doubt that they teach "Breaking and Entering 101" and "Advanced Bank Robbery" in locksmith school. Or do they? Should they?
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.