Professional Documents
Culture Documents
W
hen Dan Farmer, then of Silicon Graphics and
for refusing to abandon a project that motivate this special issue of IEEE this special issue is
could be used to attack systems. Nine Security & Privacy. news to the mali-
years later, every system administrator cious hacker com-
uses network scanning tools as a regu- A popular opinion? munity. Some secu-
lar part of their job. The logic behind The security and privacy research rity experts might
improving your network’s security community appears to be mostly worry that revealing
posture by breaking into it is no longer united on the issue of discussing at- the techniques de-
questioned. (You can find Farmer and tacks in the open—the majority scribed in articles
Venema’s classic paper, “Improving opinion is that the only way to prop- like these will en-
the Security of Your Site by Breaking erly defend a system against attack is courage more people
Into It,” at http://nsi.org/Library/ to understand what attacks look like to try them out—an echo
Compsec/farmer.txt.) In an ironic as deeply and realistically as possible. of the worry that got Dan Farmer IVÁN ARCE
twist of fate, administrators who don’t Unless we discuss attacks explic- fired. Perhaps this is true, but cyber- Core Security
use tools like Satan on a regular basis itly—publishing articles and books criminals and hooligans have always Technologies
now run the risk of being fired. about attacks, giving presentations had better lines of communication
Yet when University of Calgary about system vulnerabilities, and so and information-sharing than the GARY
professor John Aycock announced a on—we will be practicing security good guys. We believe that security MCG RAW
course on malware in Fall 2003, many by obscurity, or, worse yet, security professionals must understand and di- Cigital
indignant security vendors (including by merely crossing our fingers. gest this kind of information so that
Trend Micro and Sophos) lined up to The fact is, system security is dif- they grasp the magnitude of the prob-
criticize him. The vendors claim that ficult to get right. Short of building lem and begin to address it properly.
teaching students to understand and provably secure systems (which
create malicious code is a mistake— some dream of, but is nonetheless an Article diversity
that no good could come of such a activity that seems not to be done The articles in this issue represent the
course. On the flip side, the justifica- with any regularity), a critical part of broad range of ideas that come to
tion for such a course lies in the idea security design and implementation mind when scientists and engineers
that the motivations and mechanisms is subjecting a system to rigorous think about attacking systems. Some
of malicious code must be understood analysis, including attack-based pen- approach the problem by describing
in order to be properly combated. etration testing. Strangely, this means technically sophisticated attacks, at-
So who’s right? Should we talk that designers must understand what tack patterns, and toolkits. Others
about attacking systems? Should we makes attackers tick so as not to fall fret about the politics of security and
teach people how real attacks work? prey to this kind of testing. attacks, worrying that outlawing cer-
Is ethical hacking an oxymoron? It’s important to emphasize that tain kinds of software will backfire.
Those are the sorts of questions that none of the information we discuss in Some describe methodologies for
PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/04/$20.00 © 2004 IEEE ■ IEEE SECURITY & PRIVACY 17
Attacking Systems