Full Disclosure mailing list archives
(no subject)
From: "nwonknu" <nwonknu () fastmail fm>
Date: Fri, 22 Nov 2002 22:50:10 -0800
The blackhats assert that the security industry is evil, because they don't offer 100% solutions. "Look how smart I am! I figured out how to pocket the candy without getting caught! You must be really stupid to even try!" What they don't seem to realize is that security can never be 100%. Inviolable security means total paralysis, just like Marcus Ranum's perfect network firewall: a pair of scissors. Security is about risk management. It is about putting controls in place, and doing the risk analysis up front, so that you mitigate the effects of an intrusion when it happens. It is about coming up with recovery plans, for when things inevitably fail. It is about taking appropriate safeguards for the worth of the data being protected. Any lockpicker or safecracker can tell you this. No lock is 100% secure. You have something important to protect, you buy a better lock. How can avowed blackhats be so dumb as to assert that perfect security is an attainable, or even reasonable goal? They want you to look the other way, paralyzed by fear. Don't buy security products! Uh, right. It's all obviously snake-oil, isn't it? Of course, no corporate security professional is actually listening to any of this inane pseudo-messianic blackhat "cleverer-than-thou" propaganda anyway. They are doing their jobs, and doing them as best they can. The awful truth is, some of the brightest exploit writers don't know shit about security. Some of the best security people don't know shit about writing exploits. Full disclosure was meant to narrow the gap, but there is an agenda working against this. So who's listening? Who's the intended audience for all these rants and FUD? You. The hackers, proto-hackers, sysadmins, and young geniuses interested in computer security. Maybe as a hobby, maybe as a job. Think about it for a second. Why don't they want you to release your code? Why don't they want you to do your job? Why don't they want you to "sell out" and become a security professional? Why do they want to do their bidding for them? Why are they "enlisting" people for help? If they were really blackhats, why aren't they taking action themselves, instead of taking credit for the actions of others? Is is really just adolescent scene posturing and status climbing they're after, or something else entirely? Think about the people you think you know online. This is the only hint I will give you. Think about the timing of all of this. Think about the new Office of Homeland Security. Think about the $200M+ SAIC contract with the NSA. Think about the failure of the NIPC, and the political reasons (and I mean real politics, not this phony blackhat/whitehat stuff) behind shutting down full disclosure, consolidating cliques, and inciting new activity in the underground. Do real blackhats really act this way? Think about why the original progenitors of all this have already left. Think about why certain people have been fired, or sent away, or have been behaving the way they are to attract attention, your friendship, and your trust. Think about why and how certain people have been busted, or have disappeared silently. Think about what they have told others. The playing field is level now. I have spoken my peace. Beware. P.S. Don't trust hushmail. Think about why it requires Java, and isn't proxyable. -- http://fastmail.fm - Accessible with your email software or over the web _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (no subject) nwonknu (Nov 22)
- <Possible follow-ups>
- Re: (no subject) Euan Briggs (Nov 23)
- (no subject) es (Nov 29)