Covering that baldspot...or...hat ethics

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

Covering that baldspot..or..hat ethics

These are strange days. The security industry, an industry that grew out
of what used to be some sort of underground, was spawn on soil drenched
with the sweat and tears of what would nowadays be considered to be
"blackhats".

It was in its core built on knowledge painstakenly gathered
by these very same blackhats. Knowledge that was, at its root,
mostly gained by "unlawful" experimentation. Think about it, exploitation techniques were developed and researched 
to...UH OH...EXPLOIT things.
It was only when these techniques leaked and surfaced in the hands of
"legitimate" researchers that they got enlisted to take part in a perverted form of "security" that we now know as 
"Full Disclosure".

These early "researchers" were mostly former blackhats seeking some form
of monetary gain. Would they have foreseen the state of information
security today, I'm sure many of them would have chosen to take that
"normal" programming job to gain funds and keep their blackhat ethics and philosophy in tact. In fact, a large chunk of 
the newly found infosec workers did hold on to some of the blackhat mentality. By strongly opposing public dissemation 
of security information and exploitation methods. They would operate within a closed circle of trusted security experts 
and only share information amongst themselves. Ultimately giving them alot of power and the ability to "demonstrate" 
insecurity anywhere.
Thus being able to make a decent living, and bye keeping security
information in private hands ensuring a steady cashflow. That might not
be as "ethical" as some people would like, but hey..its a big boy world.
At this point in time both camps could live side by side. Knowing that
neither side would demolish the livelyhood of the other.

Then the leech appeared. The leech is a person who does not want to invest time and effort into gaining information and 
knowledge. They expect it to be handed to them on a silver platter and will even complain if the information is not 
presented in an easily digestable format. They expect people to take the time and sit down with them to "teach" them 
things. And over all show very little initiative. The leech is the infosec equivelant of a spoiled brat. They have this 
unrational mindset that it is an obiligation for those in the know to share their information with them. Because they 
have a "right to know".

We fast forward to today. The leeches have developed and integrated into the infosec world. They are the snosofts and 
ngsecs of the industry. People that have aquired a moderate skillset by leeching off of the knowledge of others and 
never show any creativity or original thought. Neither in their advisories nor in the accompaning "exploit". I'm sure 
they dont consider their recursive grepping for strcpy's and faulty printf's to be leeching. They call it "auditing". 
Auditing as it is today is nothing more than spotting pre-chewed situations
that have been proven to be exploitable by someone else. And that my friends, is leeching and also the reason of the 
genericness of many of the work that spawns from these leech based security companies. In that sense they are not the 
most dangerous a creature in todays infosec world. They regurgitate stolen knowledge and would never find, develop and 
publicly spread an original method of exploitation. The biggest danger that we/us/them face is the "friend".

90% of all publicized exploitation methods have not been published by the people that first implemented them, but by 
friends of friends. They gain this knowledge via the grapevine and write papers in their need to educate. Or even 
worse...gain recognition. So how ever harsh it may be to deny people close to you access to information..think about 
the greater good and how that information will be abused in the future. There must exist a true circle of trust and a 
basis of equality
to properly exchange information. Do not let leeches suck you dry. They expect all and return nothing.

In conclusion I suppose I, as many before me, should provide some sort of pseudo solution to the problems we, blackats 
and non-disclosure supporters alike, face. Sadly enough I fear the damage has been done and it irreversible. So let 
armageddon come. Clean up the ruins. And start over again. *DING* *DING* *DING*

shameinfame

"fame? shame."




Get your free encrypted email at https://www.hushmail.com