------------------------------ Date: Tue, 25 Jun 91 14:12:25 EST From: Gene Spafford Subject: Comments on ComSec Data Security ******************************************************************** *** CuD #3.24: File 4 of 8: Comments on ComSec *** ******************************************************************** I have a quick comment on the report of the start-up of Comsec Data Security. I have been quoted as asking people if they would hire a confessed/convicted arsonist to install their fire alarm system when talking about hiring "reformed" system crackers to do computer security. Personally and professionally, I think it is a dangerous decision from a business perspective and from a professional perspective. >From a business perspective, you need to ask yourself the following questions: * If these guys know how to break through certain kinds of security, does that prove they know how to make the security better? Using an analogy to start with, does someone who has experience putting sugar in the gas tank know how to tune the engine? Or, more closely, does someone who has shown expertise at stealing cars with the keys left in the ignition know how to tell you something more valuable than not to leave the keys in the ignition? They can guess at telling you to leave the doors locked and windows rolled up. But can they tell you about car alarms, various forms of insurance, removable stereos, LoJac (sic?) tracers, cost/benefit of using various other models of car, etc? Likewise, with computer security, because some people have had good luck breaking weak passwords and circumventing poorly-placed controls, that does not make them experts in security. What do these guys know about formal risk assessment models, information theoretical background of ComSec evaluation, formal legal requirements for security, business resumption planning, employee training, biometric systems, .....? * How do you know they are reformed? Just because they claim they have reformed and hang a shingle out, does that mean they have *really* reformed? If your business presents a very tempting target, how do you know they aren't casing the system to make a single big haul and then skip town? How do you know they aren't going to traffic info on your system with their friends? One big haul and a quick trip to another country with no extradition, and that's it. The literature is full of instances where people with clean records couldn't resist the temptation to take advantage of their access to the system to make a quick buck. How much more can you trust people who have already shown they aren't particularly interested in niceties of the law and ethics? Ask the folks at SRI if hiring "reformed" crackers/phreakers is ultimately a sound business decision.... * Can you be sure if these guys find some of their former associates playing with your system, they will act in your best interests? This is a standard problem in a new realm -- will these guys really turn in their former buddies if they find that they have penetrated a client's system? * If they miss a problem, or cause a problem, will your business insurance pay off? Will you be immune from prosecution or stock-holder's lawsuits? These guys and others like them have a checkered history. Hiring them to protect your systems against loss could be grounds for negligence suits in the case of loss, or be sufficient to cause non-payment of insurance policies. In the case of various state & federal laws, you might be responsible for not showing a concerted effort to really protect your data. Are these guys bondable? If so, for how much? Can they receive security clearances? The decision is also a bad one professionally. What kind of statement does hiring these guys send to the rest of the world? It says "Gee, build up some experience hacking into other people's (or our ) systems without permission, and we'll give you a job!" That's a bad statement to make. Furthermore, it says to the true professionals in the field, the people who study the material, act professionally and ethically their whole careers, and who make every attempt to be responsible: "We will hire people who behave improperly instead; your training is equivalent (or less than) experience gained from acting unethically." That is a worse statement to make. Most of the professionals in the field could easily break in to business systems because of lax security, but would never dream of doing so. To prefer confessed crackers over honorable professionals is quite an insult. As a professional, I would refuse to do business with firms who hire these guys as security consultants. They show surprisingly poor business sense, and an (indirect) contempt for the people who work hard and *ethically* their whole careers. Note that I'm not stating that these three, in particular, are less than honorable now or will commit any crimes in the future. I'm stating that, in the general case, such "reformed" individuals are a very poor choice for security consulting. Neither am I making the statement (incorrectly attributed to me in CACM a year ago) that people like these three should never be employed in computing-related jobs. I am disturbed, however, that they would be hired *because* of their unethical and illegal behavior-past. ******************************************************************** >> END OF THIS FILE << ***************************************************************************