Security Watch

They say imitation is the sincerest form of flattery, and we hope that the people at Phrack Magazine (one of the premiere security resources on the Internet, at aren't too upset this week. We have shamelessly borrowed their Loopback concept of periodically using magazine space to respond to reader mail. We thought you'd deserve a crack at us in public at least once a year. Our responses follow your questions, and names have not been reprinted to respect the privacy of the original authors.

Disclaimer: We intend this to be a humorous look back at a small selection of the many e-mail messages you sent to us this past year, and our responses are not directed at any one individually, but rather toward the whole category of mail we receive that flows under each topic area below. We hope you can forgive us for the lighthearted topic this week, and we promise to get back to business next week with our Golden Guardian Security Product of the Year selection.

By the volume of spam we receive, we assume that some of you have chosen to enroll us with a selection of the Internet's finest list servers rather than simply doing the civilized thing and e-mailing us a string of expletives with BackOrifice 2000 attached. Some treasured moments from our archive:

Lose 5-15 inches in one hour! Introducing nonsurgical liposuction with detoxifying regeneration herbal body wrap product!

To the individuals responsible for this: Want to lose 20 pounds of unsightly fat instantly? Cut off your heads.

How to make beautiful women from all around the world become interested in you from right here at your computer for free.

Although we're both happily married (and no, not to each other), we have often wondered why our column has not attracted the following of the scantily clad twenty-somethings who inevitably seem to migrate to Backstreet Boys types.

Isn't computer security hip with Gen X? Perhaps this message is a clue.

I don't much care for the pair of you. You are no more nor less than shills.

You perform no service for anyone trying to escape the entire gothic mess of DLL-Hell and mediocrity [of] Popular software. Until the magnitude of the Popular s/ware disaster slowly emerges into the light, please seek honest work.

We sincerely apologize for our behavior as shills for the Popular Software Industry. We feel awful and will immediately begin writing only about programs that are unpopular. Furthermore, we'd like to donate the entirety of our "dishonest" wages to the facility wherein you are institutionalized. Maybe you can use the money to pad your cell with reprints of our column?

... suggestions of funds being paid by a software company to a consulting company where InfoWorld contributing editors work and the contributing editors writing comparisons of products which the software company's products win, and no disclosure of the business relationships between software company and the employer of the contributing editors made to the readers.

Full disclosure: We work for a living. The entities we work for do business with many other companies. Anyone who can demonstrate to us that they live a different life than this can throw the first stone. Our writing is biased by one thing: facts. If we hurt some vendors' feelings, too bad.

Joel is right on, Stuart is [a] moron [regarding July 26, 1999, column].

Sheesh, you try to present diverse points of view, and look what happens. I guess we should just start parroting each other's thoughts in every column. Oh, and for some readers, the spelling of my name is "Joel," not "Josh." (See "Columnists debate: Does Back Orifice 2000 help or hinder your security efforts?" you both have the CISSP [Certification for Information System Security Professional] certification, why do you not show it? I believe it would give you that much more credibility in the industry.

We are both CISSPs, but we figured the book would speak more loudly than the letters.

Can you guys help me? An NT Web server that I administer was hacked. The question that I have is this: What does the executable for BackOrifice look like?

He's 5 feet 7 inches, brown hair, glasses -- oh, shoot. We though you said "Executive." Sorry.

I was just reading your article on hackers and how they get into your PC, what security could I use to stop this?

Turn your computer off. Forever.

I find it surprising and somewhat offensive that you posted the Web site ( of a hack page that purports to be able to hack into NetWare's NDS [Novell Directory Services].

We take full responsibility for "posting" this URL in public and will refrain from telling anyone about publicly accessible Web sites in the future.

Why don't the anti-virus companies add a module to their software that searches for "signatures" of known bugs?

We strongly recommend against this idea. We sincerely enjoy doing this work in computer security, and our children's college funds are not even near as large as they need to be. Please, think of them. In the meantime, get started on next year's rants and raves at

Stuart McClure is an independent security consultant at Rampart Security Group.

Joel Scambray is a consultant at Ernst & Young. They recently wrote the security book Hacking Exposed (Osborne/McGraw-Hill).

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Ernst & YoungErnst & YoungNDSNovellRampart Security Group

Show Comments