[SCADASEC] FW: No script kiddies!

Bob Radvanovsky rsradvan at unixworks.net
Fri Aug 29 21:48:46 CDT 2008 

To give everyone a fair shake/chance at their 15 seconds of fame...  ;)

For the record, *I* am a 'script kiddie'.  ;P


----- Original Message -----
From: Clint Bodungen [mailto:clint at cidgcorp.com]
To: 'Bob Radvanovsky' [mailto:rsradvan at unixworks.net]
Subject: FW: [SCADASEC] No script kiddies!


> Bob, not sure why this got squashed but I would have like to have been given
> the opportunity to modify and repost if there was an issue.  Yes, it's
> sarcastic humor but doesn't violate the charter as far as I am aware.  In my
> mind, this thread was propagating and inaccurate concept and to let it go
> would be a disservice to the community.  This list exists, in part, to
> educate.  This was an opportunity to do just that.  Sorry I'm not the overly
> "PC" type.  I don't believe in sugar coating bullshit and selling it as
> candy ;-)
> 
> Clint 
> 
> -----Original Message-----
> From: Clint Bodungen [mailto:clint at cidgcorp.com] 
> Sent: Thursday, August 28, 2008 12:32 AM
> To: 'scadasec at news.infracritical.com'
> Subject: RE: [SCADASEC] No script kiddies!
> 
> Looking at the actual and *original* technical definition of the term would
> reveal that most typical security professionals, consultants, and even
> Information Assurance Engineers would fall under the umbrella as a "script
> kiddie" as well.  The term doesn't actually mean someone looking for the
> easy kill.  The Wikipedia version is correct.  It originally came from the
> newbies (a.k.a. n00bs) that were incapable of writing their own tools and
> coding their own exploits so they grabbed whatever they could from their
> more skilled friends.  These tools and coding techniques are called
> "scripts" and "scripting."  They also didn't completely understand all of
> the technicalities associated with the tool so they fumbled around with it
> aimlessly at random and/or mass targets until they got a hit.  Hence, the
> term "script kiddie."  "Script" from the tools they borrowed and ran, and
> "kiddie" referring to the inexperience they showed or the inability to write
> their own tools and code their own exploits.
> 
> There are *very few* Information Assurance Engineers, CISSP's, Security
> Consultants, etc. that can actually develop their own custom tools much less
> reverse engineer code, find a good attack vector, and code their own
> exploit.  It is very typical for them to run a cliché SVA (hey that rhymed)
> with pre-canned industry standard tools.  Even for a "pentest" they will
> usually reach for Canvas, IMPACT, or Metasplpoit and maybe some of the
> latest scripts they downloaded off of packetstorm.  (Just like these "script
> kiddies")  BEST case is they actually go get the latest exploit code from
> somewhere like Milw0rm and hope that it compiles and runs (if they know how
> to compile it) without it being crippled by the author (in which event they
> would have to know how to program in whatever language the "script" was
> written in.)  Most people with those skills are security researchers, actual
> hackers, or damn good pentesters.  And I'm talking about industry-wide.
> There are even less in the SCADA/Process control industry.
> 
> Conclusion, if you stick to the *original* definition of the term, the
> industry has *already* hired an entire generation of professional "script
> kiddies" and given them fancy titles and a nice salary...
> 
> I wasn't trying to offend anyone here.  I just think that sometimes people
> are quick to label, judge, point the finger at others, and jump on the
> bandwagon when it's usually a case of the pot calling the kettle black.  If
> I did offend you, I apologize... go code some exploits or write a tool and
> you will feel better... if you are incapable then... well... no comment.
> ;-)
> 
> Cheers!
> 
> Clint 
> 
> P.S. - This one was for you guys I met this week... you know who you are ;-)
> 
> 
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of John Callahan
> Sent: Thursday, August 21, 2008 5:19 PM
> To: scadasec at news.infracritical.com
> Subject: [SCADASEC] No script kiddies!
> 
> I had to respond to the overwhelming positive response to the idea of hiring
> script kiddies.  What is really needed is to hire an IA, Information
> Assurance, engineers.  There is a big difference.
> 
> >From the Honeynet.org definition: http://www.honeynet.org/papers/enemy/
> 
>  "The script kiddie is someone looking for the easy kill. They are not out
> for specific information or targeting a specific company. Their goal is to
> gain root the easiest way possible. They do this by focusing on a small
> number of exploits, and then searching the entire Internet for that exploit.
> Sooner or later they find someone vulnerable.
> 
> Some of them are advanced users who develop their own tools and leave behind
> sophisticated backdoors. Others have no idea what they are doing and only
> know how to type "go" at the command prompt. Regardless of their skill
> level, they all share a common strategy, randomly search for a specific
> weakness, then exploit that weakness."
> 
> Wikipedia has a similar definition:
> http://en.wikipedia.org/wiki/Script_kiddie
> "In hacker culture, a *script kiddie*... is a derogatory term used for an
> inexperienced malicious hacker who uses programs developed by others to
> attack computer systems, and websites. It is generally assumed that script
> kiddies are kids who lack the ability to write sophisticated hacking
> programs on their own, and that their objective is to try to impress their
> friends or gain credit in underground hacker communities."
> 
> The difference between a script kiddie and an IA engineer is like the
> difference between a delinquent who plays with firecrackers and a rocket
> scientist.  This distinction is lost on many and there are plenty of so
> called security experts out there willing to exploit this ignorance.
> 
> Security is a difficult engineering problem.  Script kiddies might be able
> to see the problem, but they can't solve it for you.  We need a disciplined
> approach to security if we are ever to get past this hacker culture.  The
> standards and engineering framework, NIST 800 series for example, is out
> there ready to use for all.  DoD's 8000 series also has a great deal of
> information including training standards for IA personnel in publication
> 8570.1m, http://www.dtic.mil/whs/directives/corres/pub1.html .
> 
> I'm not trying to insult anyone's opinion and I apologize in advance if I
> have.  And I realize that control systems don't have the same security goals
> as do business information systems.  Applying every NIST standard and DoD
> reg isn't possible, but hiring script kiddies, c'mon, you can't be serious?
> 
> Thanks for the soapbox,
> 
> John Callahan CISSP
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our usage policy, please visit:
> http://www.infracritical.com/usage-scadasec.html
> 
>

More information about the scadasec mailing list