RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site"

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: Re: [Dailydave] Re: Exactly 500 word essay on "Why hacking iscool,
so that Marcus changes his web site"

> So because of the opportunists the whole security industry is bad? Does
the same go for 
> financial consultancy firms ? They commonly come up with ways to defraud
systems, or 
> design poor systems that no one adequately researches. Then you get
opportunists 
> defrauding the 72 year old grannies you mention. They do this by
exploiting financial 
> loopholes (vulnerabilities). This is a close mirror of what goes on in
Security, 
> pointing out and detailing a flaw does not make you a criminal - using
that flaw can 
> do. 

And what has been the result of that type of fraud?  In the US, you have
sweeping accountability reforms like the Graham-Leech-Bliley and
Sarbanes-Oxley acts.  Huge audit and control efforts for the entire industry
because of the very bad results of some devious acts by a few very bad
apples.

So as network security becomes an integral part of IT practice (make no
mistake, we're not an industry unto ourselves), will we or our peers be
happy to see more regulation and more audit overhead because Immunity or
Symantec or McAfee hired some hackers who weren't fully "retired" and they
release the next big worm?

Though you were trying to dispute one of his arguments, I think you wound up
making Marcus' point.

PaulM

PS - As we watch the patch/exploit window shrink to mere hours, I can't help
but wonder how long until the IT vendor lobby goes crying to Congress for
relief (if they haven't already?).  Legislation and regulation for security
research* in the US may only be right around the corner.  Coming soon to a
Secunia mailing list near you: 180-days-to-full-disclosure

*(meaning exploit development and disclosure in my head, but probably having
a much more broad and painfully ignorant definition once written as law)