Re: Security Industry Under Scrutiny #4

[ratel <ratel () mailvault com>]

-----BEGIN PGP SIGNED MESSAGE-----

On 22-Jan-2003 19:07:25 -0500, you wrote:

> You have a clear point here. Knowing the enemy is essential.

Knowing yourself first is the real challenge. 

> But looking at it statistically, there are a lot of criminally
inclined
> people, but only very few spies. People in intelligence are usually
very
> dedicated but dull professionals, and would hardly qualify for this
> definition of spies.

You want to know the reason so many people in intelligence community
today are plodding rule-followers who lack the imaginative spark
essential for good analysis? All that Hoover-era Boy Scout BS in the
Clearance Adjudication Manual constantly weeds out all but the very
sharpest bastards who know how to beat the system at its own game.
Darwinian selection. They "profile-out" the very people psychologically
suited to catching anyone they really need to be worried about. 

> Maybe the people disappointed in intelligence work become
> hackers - nah, just kidding. These narcissistic, paranoid, antisocial
etc,
> people do exist, but I doubt if there are many.

The Darwinian paradox again. Face it, Robert Hanssen's tradecraft
sucked. If the people around him had been a little MORE paranoid,
narcissistic and antisocial, the game would have been up for him a long,
long time ago. There's a classic picture online somewhere of a
"department group photo" which about says it all: everyone around him
looks dumb, sleepy, complacent and pleased as punch, he's the only one
in the whole goddamn picture with half a spark of life in his eyes. 

If we insist that only "normal, trustworthy" people are allowed to
protect us, is it any wonder the wolves on all sides of the law have a
field day? We must be getting the security we deserve. Disgusting,
really.

> Hence, the discussion about blackhats and whitehats cannot be
> that important. It does prove that in the IT security business we
are
> narcissistic and paranoid - just looking at our own small world,
getting status by pointing out the risks to any one listening, seeing
dangers under the bed.

Yep. Speaking of malicious blackhats to worry about, I once heard a
genuinely technically talented blackhat-turned-government researcher
justify himself (after the obligatory "how COULD you!?")as he said with
a shrug:

"The government is going to steal my work anyway, why shouldn't they pay
for it too?" 

Absolutely chilling logic, isn't it. The old Faustian bargain. His
record is clean, who's going to stop him? So in the next great
"crackdown" as thousands of blackhat/whitehat small-time losers get
spied on, set up, jail sentences or worse, this bastard will be sitting
pretty, far above it all, on his nice little government grant. Doing
absolutely whatever he wants on his own time. Maybe not with an
excessively large salary, but he'll be doing fine.

People like this are the real threat. If the industry quit drumming up
business by releasing exploits for stupid people--and causing enormous
amounts of damage in the meantime--everyone might be able to concentrate
on larger threats which are infinitely more important.  

> I think the scrutiny should be: why doesn't the industry go for the
real
> issues in information security. 

Because in the main they're a bunch of hypocritical, sleazy two-bit
con-artists who'd prefer to get rich selling derivative snake oil
(rather than doing something original and productive) to business
consumers who's rather throw money at the problem and have a tidy
"security solution" handed to them on a silver platter than educate
their users on how to take responsibility for themselves? 

Maybe? 

Just a hunch.

Ratel.



-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com

iQA/AwUAPi9y3+YNtyh3zif9EQJNhQCfTWfAlnYBCb46x5Fr2w1cMoXfQtMAnRC/
rPO9oe5z9GFwsfCLxWqgRwgc
=Wm3h
-----END PGP SIGNATURE-----