Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 17 Aug 2002 14:50:56 -0400
R. DuFresne wrote:
It seems that the whitehat community is under a new attack, putting fear into the souls of some reputed security experts, leaving them to now, rather then admonish these spoiled children, to rather brag them up and promote what some are referring to as their fine skillsets and tools.
It's not a new attack!!! This has been going on in many ways for a long time. There's really two things going on here... Both are caused by professional insecurity in the hearts of the "reputed security experts" Ron's referring to... First off, there's the specialized knowledge of the hacker. I've had this particular hook set pretty deep in me, professionally, in the past. If you're a true white hat, you're not replete with hacking technique and you're not the kind of guy who can whip out a tool to crack into any website any time, or whatever. UNfortunately, a lot of our customers in the security business have been conditioned to expect reputable security professionals to have at least moderate hacking skills. This is thanks to things like Hacking Exposed classes, and the early well-marketed security/hacking cross-overs like Dan and Wietse's SATAN, ISS, Nmap, etc., etc. I used to do audits and it was a very very tough thing whenever a customer insisted that I _demonstrate_ the presence of a vulnerability before they'd be willing to fix it. (Oddly, I suspect bullet-proof vest makers don't have that kind of problem with thier customers...) So you have to either become a repository of hacking technique yourself, totally steer clear of hacking technique, or have friends who have the hacking knowledge who can step in every so often and back you up. So, unfortunately, because our customers have been media-trained and hacker-marketed to be stupid* many security professionals are now in the situation where they feel they can be embarrassed if their hacker buddies get pi*sed off at them and the well of information runs dry. I managed to get over and around this problem a long time ago by being extremely up front about the fact that I don't know hacking technique and I don't think it's particularly useful and I educate customers as well as I can on the issues and if they don't buy it, there are always smart customers to find. As soon as you start playing that "secret squirrel" crap you're vulnerable to whoever can show that your bag of tricks is mostly empty. There are a huge number of security practitioners out there who are basically poseurs who pretend to know a lot about hacking so they can make money doing useless penetration tests - and they run back to their hotel rooms and use Nessus. They're vulnerable to real hackers making them look bad because they have chosen to compete on the wrong playing ground. Secondly, there's the notion that a security person's security is an indication of how well they can secure others. In other words, if you're going to come in to my network and audit my practices, you'd better not have been hacked yourself. In a sense, this is reasonable because if you're expecting me to help you secure your network, I ought to be able to demonstrate I can secure my own. But we place a ridiculous premium value on this demonstration. I was at a conference recently and some of my peers jumped all over me when I sent my password in the clear to my ISP's POP server. As if I should care? I don't do anything _important_ via E-mail and any damage I'd suffer is limited. Their reaction was "it'd be a professional embarrassment!" but that's not true. Anyone ought to be able to understand that even cowboys get the blues, sometimes. Even security companies' websites get hacked. This isn't news - or shouldn't be. But by holding such a high expectation, we're making our practitioners vulnerable to this kind of blackmail from the hackers. Hey, dear customer - if even _I_ get hacked, then you _really_ need me. :) If you're insecure, your fear gives someone a lever to control you.
In other words, like the quotes cited in the article mentioned in the forwared posting below, some are paying a verbal ransom to these little brats. At least one security related list is being pretty much held hostage to the onslaught of spew mentioned in the posting and article it cites.
One other possibility (I can't estimate the likelihood) is that since the posting is anonymous, it's completely faked. A number of years ago (1997) me and 2 friends had too many tequilas at a conference and found ourselves outlining the core of a simple disinformation campaign that would create a "Hacker Elite" identity trivially easily. All it would take is a few cooperating members outside the hacker circles and you could pretty quickly create hard-to-penetrate covers. After all, your cover as a hacker is tough to penetrate if you can always lapse back into being mysterious, dodgy, uncommunicative, and anonymous. "Of course I won't show you my secret technique! It's _secret_!!" All it'd take was cooperation from a few high-profile security practitioners, web-site admins, and open source coders and you could create a truly towering reputation out of nothing, or next to nothing. Some may say it's already happened. Then again, this post could also be disinformation. ;) You tell me. mjr. (* not trusting the expertise of an expert you just paid a ton of money for is stupid by any definition I can think of...) --- Marcus J. Ranum - Computer and communications Security Expertise mjr () ranum com (http://www.ranum.com) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- concerning ~el8 / project mayhem R. DuFresne (Aug 16)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- <Possible follow-ups>
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Anton A. Chuvakin (Aug 21)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 21)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Anton Chuvakin (Aug 21)
- RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Josh Welch (Aug 21)
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)