Full Disclosure mailing list archives
Re: Wired.com: So Many Holes, So Few Hacks
From: batz <batsy () vapour net>
Date: Mon, 30 Dec 2002 14:35:41 -0500 (EST)
On Mon, 30 Dec 2002, Richard M. Smith wrote: :Experts who discover and report security holes seem to be far more :industrious than the malicious hackers willing or able to exploit those :holes.
From any perspective that matters in any broad sense, it is ultimately
the same people who both discover and exploit software vulnerabililties. If not as individuals, at least as a group. The division between good hacker and bad hacker has more to do with who pays us (or doesn't) than with our sense of gratification from finding bugs. The good/evil dichotomy is arbitrary and makes everyone look stupid. It's about time it was disposed of. :But those same experts also cheerfully confess that most exploits :aren't all that exploitable, and that the security industry profits by :stirring up fear and frenzy. Like any industry, there are generally only a handful of people who comprehend the value of what it is they do and the services they provide. They are easy to spot because they tend to be filthy rich and lying on a beach somewhere, having cashed out and split before these discussions even start. :Experts also wonder whether they and their colleagues devote entirely :too much time to pouring over program code looking for possible :exploits. Does anyone else find it conspicuous that the companies who make all the money don't bother spending time finding new bugs? The reason is, while it may be very useful for advancing our understanding of how these bugs evolve, it does very little to sell more widgets. If I had $80k to drum up new business, and investors breathing down my neck, I wouldn't spend it on having 0-day exploit code written, given the goal at hand and possible alternative solutions. Hackers write code and find bugs. It's a discourse. Companies sell software and services. It's a business. The balance of the two makes for a sustainable and reasonably cool place to work. However, there are sacrifices made to maintain that balance, and when investment is involved, and push comes to shove, we all know who wins. The industry needs to grow up and recognize where its value is, and the discourse needs to mature and become a valuable critical perspective from which to analyze business and other (more interesting) systems. Hackers are alot like engineers, but with imaginations. You'd think that would be the formula for success, but it's really just a way to make people think you are an unremarkable engineer, or too technical to be creative. They can always find duller engineers and flakier creative types. This is kind of ideal, because that leaves us content to use this newfound extra time to just keep on hacking. ;) Cheers, -- batz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Wired.com: So Many Holes, So Few Hacks Richard M. Smith (Dec 30)
- Re: Wired.com: So Many Holes, So Few Hacks batz (Dec 30)
- Re: Wired.com: So Many Holes, So Few Hacks Ken Dyke (Dec 31)
- Re: Wired.com: So Many Holes, So Few Hacks batz (Dec 31)
- Re: Wired.com: So Many Holes, So Few Hacks Ken Dyke (Dec 31)
- Re: Wired.com: So Many Holes, So Few Hacks batz (Dec 30)