Secure Coding mailing list archives
Re: informIT: Building versus Breaking
From: Stephen Craig Evans <stephencraig.evans () gmail com>
Date: Sun, 4 Sep 2011 23:08:51 -0500
Hi Ivan (and Sergio), Maybe I should have clarified my position. I have no problem with security researchers and whitehats that investigate and reverse engineer malware to make the world a better place. I have problems with those that create malware - under the guise of "security research" - which then gets used by the bad guys. I'm not saying that one can never stop breaking into things. I just don't like the glorification of creating malware by the so-called "good guys". If all of that energy instead was placed into prevention, then we would be better off. Let's say this... I have a badness-ometer scale. On the left side of the scale is ignorance and darkness. The bad guys are operating on their own wits. There are no security researchers that publish their results. On the right side, we have today's world of infosec, where everybody is crawling all over themselves to make a name for themselves and get recognized - by tooting their horn and to see how cool that they can be hacking into stuff. It is what it is and I'm not under any illusion; I'm just not gonna accept this glorification of bad guys pretending to be good. Stephen P.S. One might argue that a whitehat or security researcher can't change sides and go into prevention, or in other words, be a Builder instead of a Breaker. They can't because they don't have the skills to do it. Which is precisely my point. On Fri, Sep 2, 2011 at 11:05 AM, iarce <iarce () corest com> wrote:
On 9/1/11 2:29 AM, Stephen Craig Evans wrote:Sergio, "Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves." I really take offense to your comment. I am seeing malware out in the field that is based on work by so-called noble "security researchers". My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically "yes".That is the kind of reply and opinion that very rapidly leads these debates to very divisive arguments. First you are taking offense then your are pejoratively dismissing other peoples work (by generically putting the quality or motivation of their work in question) and finally saying that you'd be better off if a whole community of people did not exist. Replace "security researchers" with any other collective and your statement would read very very nastyWhat I hate is that "security researchers" and the "white hats" try to present themselves as noble and as the good guys. It's f*cking bullsh*t and a total scam. Ten years later for me and the state of infosec is much worse.Hmm I wonder if I should take offense of that statement? You question the motivations and honesty of an entire group of people and imply they're responsible for an alleged degradation in the state of infosec.There is also a nasty faction of infosec that will never want to solve problems which will put themselves out of work. Yep, I am throwing down that gauntlet FWIW.Stephen, it is way past the time - it was 10 years go too- for people in the infosec community that claim to have an interest in improving the state of infosec to move away from confrontational stances and bigotry and to engage with the offensive security community in a constructive manner, putting prejudices aside and without invoking a moral high ground that they've not been given by divine intervention. Personally, I would be glad to put you out of work. Unfortunately I can't do it alone. sincerely, -ivan -- Ivan Arce CTO - Core Security Technologies _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
-- http://www.linkedin.com/in/stephencraigevans _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: informIT: Building versus Breaking, (continued)
- Re: informIT: Building versus Breaking Jeffrey Walton (Sep 05)
- Re: informIT: Building versus Breaking Jeremy Epstein (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 01)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- "Building" conferences (was: informIT: Building versus Breaking) Martin Gilje Jaatun (Sep 05)
- Re: "Building" conferences (was: informIT: Building versus Breaking) Gary McGraw (Sep 05)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- Re: informIT: Building versus Breaking Tom Brennan (Sep 05)
- Re: informIT: Building versus Breaking Goertzel, Karen [USA] (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)
- Re: informIT: Building versus Breaking Kevin W. Wall (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)