◆ SpookStack

New Architect: Inside the HackggMind @ Page 5 of 6 around $110. Occasional security/network work tunds my interests the rest of the time: NA: I assume your security/network contracts know about your after-hours activities? AL: I mention it to the occasional ones that don't know, but more out of courtesy than out of thinking it's somehow crucial that they know. NA: Ever any hesitation from clients? AL: Not that I recall. I don't usually solicit clients; it's generally the other way around. The work isn't a priority; I can do a month on about $150 if I want to. If my laptop died after an improbable plunge into some underground river or something, 1 might make a couple cails. NA: Let me ask about specific vulnerabilities in systems these days. Any common holes? AL: That ties back to what I've said before in a lot of ways—it's less specific things that usually need patching. But for the sake of some slightly more specific notes, it's frequently conceptual vs. system- centric vulnerabilities. Your unreasonably expensive firewall that blocks ubiquitous scanning tools doesn't matter if I learn everything I need to know about your network with a ten-minute Google search. Authenticating by social security number and date of birth doesn't matter if I can get both with a fax from the public records department at the courthouse. Requiring logins to come from on-campus and blocking all outside connectivity is cool, but it won't matter if I can walk inte the HR reception area and use one of the computers on your internal LAN that you thoughtfully provide to browse job listings. NA: Any words of advice for companies on the other end of a connection from you... or, worse, from a malicious hacker? AL: Yeah. Operate in a world where your business model depends on honesty, full disclosure, and the realistic portrayal of your product and company on their own merits, rather than one where the incidental glimpse behind the scenes is traumatizing to the corporation as a whole. More realistically, setting a precedent for less damaging intrusion isn't unreasonable. If your company accepts that it won't ever be 100 percent secure, accepting good-faith conduct and full disclosure from intruders that come forward—and holding them to it—may prevent a more serious intrusion in the future, in ways that playing up an “Unbreakable” front won't. More practically, segment your operations. If I compromise a secretary in graphic design, there's no need for him to be able to access HR records. You'll probably be surprised by how much room there is for improvement. But at the same time, don't cut people down into specialized worker bees that will go out of their way te get more access in the face of massive restrictions. http:/Avww.newarchitectmag.com/documents/s=2415/nal2021/ 9/8/2003 FBI(19-cv-1495)-1097