When I read about Marcus I thought of his using of plaintext passwords: :) http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1113473,00.html
Posted by Jens Kubieziel at September 10, 2005 06:47 PMI finally got around reading the "Six Dumbest Ideas...".
I would like to emphasize the "hacking is cool" part. Offensive thinking and defensive thinking are quite different and there's no guarantee that a good attacker is any good at defense. After reading some of K. Mitnick's -- otherwise very entertaining and even somewhat educational -- books, I would say that he's a very poor security expert and I wouldn't trust him to secure my assets.
Most of Kevin's recommendations wouldn't have worked against him. Simple systems with no human in the decision loop would have probably frustrated most of his efforts at penetration.
>When I read about Marcus I thought of his using of
>plaintext passwords
As usual, there's more behind a story than meets the eye. Up until shortly before the incident occurred, I had been hosting my email at a friend's service and he'd been too overloaded to set up IMAP+SSL for the mail server. Usually at conferences I only use the wireless to surf to skanky porn sites ;) but I accidentally kicked off Eudora to get some info out of my in-box and, of course, it immediately went to check my mail. Certainly, a fumble.
What's ironic is that my friend had to lose my hosting business over the incident, and it was one of his other friends who was doing the sniffing.
But you're focusing on the wrong issue and you're trying to blame the victim. Of course I know how to secure my Email but I had chosen not to. In fact, as weird as it sounds, it is my right to leave my Email insecure - but it's a federal crime (violation of USC18, ECPA and also the Federal Wiretap Statute) to access it. Because I periodically have used my computer (in my capacity as a consultant) for federal government projects, the violation is actually more severe than just ECPA and FWS. Should I have secured my Email? Maybe. Should a reputable security professional and self-professed privacy advocate have been sniffing passwords? Never.
As you can imagine, lots of people have thrown this incident in my face as if it somehow means that - well - what does it mean? That I don't know anything about security? No. That I don't practice what I preach? No. I don't like my door at home, either. You're welcome to come out and walk right in. The things I choose to do and the things my customers should do are sometimes different. Indeed, sometimes the things my customers choose to do and the things they should do don't line up.
mjr.
Posted by Marcus Ranum at September 12, 2005 04:24 PMmjr wrote:
> As usual, there's more behind a story than meets the eye.
Sure, I think this is just one of those things. Just because one deals in security doesn't mean that one has to spend all ones life eating *only* ones own dog food.
OTOH, I think there are limits to asking people to be "responsible" when at conferences such as those. It's not that it is pointless or unprofessional or whatever, it's that there needs to be an escape valve somewhere, somehow. Conferences seem to be it; and if it wasn't there, I'd say it would have to be somewhere else.
Otherwise, I'd simply conclude that it was all talk, all conspiracy theory (either way) and all sales. All of that and no real way to determine if any of it is of any value whatsoever.
Posted by Iang at September 14, 2005 04:13 PM>I'm not sure who Marcus is but his name keeps cropping up
I can't believe you don't know who the greatest pioneer in firewalls/proxies and NIDS is?
Marcus is a bit of a hero of mine. He shoots straight. Calls B.S. when it's B.S.
He also makes the best modern Sun Tsu quotes.