Re: Wired.com: So Many Holes, So Few Hacks

[batz <batsy () vapour net>]

On Mon, 30 Dec 2002, Richard M. Smith wrote:

:Experts who discover and report security holes seem to be far more
:industrious than the malicious hackers willing or able to exploit those
:holes. 

> From any perspective that matters in any broad sense, it is ultimately 
the same people who both discover and exploit software vulnerabililties. 

If not as individuals, at least as a group.  The division between good
hacker and bad hacker has more to do with who pays us (or doesn't) than 
with our sense of gratification from finding bugs. The good/evil 
dichotomy is arbitrary and makes everyone look stupid. It's about 
time it was disposed of. 

:But those same experts also cheerfully confess that most exploits
:aren't all that exploitable, and that the security industry profits by
:stirring up fear and frenzy. 

Like any industry, there are generally only a handful of people who 
comprehend the value of what it is they do and the services they
provide. They are easy to spot because they tend to be filthy rich and 
lying on a beach somewhere, having cashed out and split before these
discussions even start. 

:Experts also wonder whether they and their colleagues devote entirely
:too much time to pouring over program code looking for possible
:exploits. 

Does anyone else find it conspicuous that the companies who make all 
the money don't bother spending time finding new bugs? The reason is, 
while it may be very useful for advancing our understanding 
of how these bugs evolve, it does very little to sell more widgets. 
If I had $80k to drum up new business, and investors breathing down 
my neck, I wouldn't spend it on having 0-day exploit code written, 
given the goal at hand and possible alternative solutions. 

Hackers write code and find bugs. It's a discourse. Companies sell 
software and services. It's a business. 

The balance of the two makes for a sustainable and reasonably 
cool place to work. However, there are sacrifices made to 
maintain that balance, and when investment is involved, and 
push comes to shove, we all know who wins. 

The industry needs to grow up and recognize where its value is, and 
the discourse needs to mature and become a valuable critical perspective 
from which to analyze business and other (more interesting) systems.  

Hackers are alot like engineers, but with imaginations. 
You'd think that would be the formula for success, but it's 
really just a way to make people think you are an unremarkable
engineer, or too technical to be creative. They can always find 
duller engineers and flakier creative types. This is kind of ideal, 
because that leaves us content to use this newfound extra time 
to just keep on hacking. ;) 

Cheers, 

-- 
batz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html