[iwar] [fc:Why.Are.There.No.Rich.Hackers?]

From: Fred Cohen (fc@all.net)
Date: 2001-10-30 17:12:07
Next message: Fred Cohen: "[iwar] [fc:FBI.Terror.Detentions.Questioned]"
Previous message: e.r.: "RE: [iwar] [fc:Sensitivity,.Ramadhan,.friends,.and.a.non-existent.coalition]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110310112.f9V1C7609058@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 30 Oct 2001 17:12:07 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Why.Are.There.No.Rich.Hackers?]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Why Are There No Rich Hackers?

By Jay Lyman, www.NewsFactor.com,  10/30/2001
<a href="http://www.ecommercetimes.com/perl/story/14460.html">http://www.ecommercetimes.com/perl/story/14460.html>

Analysts say many hackers do get paid, but usually for legitimate work,
such as penetration testing for corporate clients. 

People make ideas happen. Smart people who innovate, working with smart
people who execute. People who get it. People who get it done. To get
vital information from IBM on e-business execution with 12 white papers
to choose from click here. 

Many hackers and crackers evolve from breaking into computer systems to
protecting them, working in the security industry and going legitimate
to make a living at their science. But what about those who choose to
join the Dark Side? 
So-called "bad" hackers have tried to profit from efforts like creating
a spamming trojan, which combines a self-propagating computer virus with
unsolicited e-mail known as spam, or by selling security exploits or
using them for blackmail. 
But experts say that hackers are not likely to cash in from code, adding
that they would be forced to work with unscrupulous partners to get paid
and would face the prospect of prosecution. 
To compound the risk, passage of a new antiterrorism law has increased
police surveillance powers as well as potential punishments for
terrorists and their associates. 
Malware for Money? 
Antivirus experts say that malware -- malicious code -- exists that is
capable of spreading like a computer worm and directing infected
machines to specific Internet Web sites or e-mail boxes -- for a price
per "hit." 
"You could have someone take 100,000 machines and make them all go to
this site and pick up points for having all these machines go there,"
McAfee fellow at Network Associates Jimmy Kuo told NewsFactor Network.
"It hasn't happened, but there has been code that exists in viruses that
could set it up." 
However, Kuo and other experts say that while technically possible, the
other factors involved in profiting from such a scheme -- collecting
payment but avoiding detection and prosecution -- make it nearly
impossible. 
"The chances of it actually working and the guy making money are very
unlikely," Kuo said. 
Selling Exploits 
Another recent issue involves the creation of an exploitive code and an
offer to sell it, which is unlikely to work because information gets out
on the Internet, according to SecurityFocus incident analyst Ryan
Russell. 
"Certainly, whoever wrote [the exploit] has a right to charge for it,
but I don't think it's going to fly," Russell told NewsFactor. "I just
don't think the mechanism they're trying to do it with is feasible.
Ultimately, these things are fairly difficult to keep secret." 
Russell said blackmail of a software vendor or security firm to keep a
vulnerability or exploit quiet may be more likely, but the same openness
of the Web combined with criminal penalties decrease the chances of that
succeeding. 
Welcome Or Not? 
Echoing other experts, Russell said many hackers do get paid, but
usually for legitimate work, such as penetration testing for corporate
clients. 
"In and amongst the security companies, the CTOs (chief technology
officers) and chief hackers within that space are all from the ex-hacker
community," Kuo said. "They all have pseudonyms and are known for their
hacking capabilities." 
However, some hackers -- specifically virus writers -- are not welcome
in the antivirus community, according to Kuo. 
"Once a virus is out there it can't be reclaimed, so we wouldn't ever
hire a former virus writer because the damage from a virus is
never-ending," he said. 
Bigger Penalties Now 
Kuo, who referred to cybercrime schemes that the Federal Bureau of
Investigation has logged online, predicted that the antiterrorism law
approved last week will have a chilling effect on hackers and malware
makers. 
"The antiterrorism act will put defacement out there in the minds of
these people," Kuo said, adding that selling an exploit to the wrong
person could result in a lifelong prison term. "This law will have
serious impact on these people and what they're trying to do."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:FBI.Terror.Detentions.Questioned]"
Previous message: e.r.: "RE: [iwar] [fc:Sensitivity,.Ramadhan,.friends,.and.a.non-existent.coalition]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST