Are PHC going to ultimately secure more work for

[sockz () email com (sockz loves you)]

----- Original Message -----
From: "James Martin" <fulldisclose () uuuppz com>
Date: Mon, 16 Sep 2002 12:54:22 +0100 
To: <full-disclosure () lists netsys com>
Subject: [Full-disclosure] Are PHC going to ultimately secure more work for "Security Consultants"?

Hi James.

> I've been pondering the real effect PHC are going to have (if at least
> partially successful) on the "Security Industry". My conclusion is that
> ultimately they will help, not hinder the industry. I'd be interested to
> hear your comments on my argument.

likewise.  i think i've made a few good counter-arguments in my reply, but
i would certainly be interested as to what you (and others) think.
 
> What does the industry rely on to maintain a market? Fear. Fear of breaches
> of privacy. Fear of vandalism. Fear of embarrassment. Fear of loss of
> productivity.

hmm... i see.  fundamental but true.

> For a company to invest in maintaining security, they must be able to
> justify their fears. As many of you know it can be very difficult to
> convince those in suits that there's a real risk of being hacked. A tangible
> representation of the risk is often needed, rather than just protecting
> against an unknown enemy.

i dont know many *suits* who are aware of the PHC.  sure a few would exist out
there somewhere, but business people tend to want to focus on things in the
business scene, not the computer security scene.  thats why they hire security
"professionals".  because they dont have the time to waste on the job
themselves.  hence if the business person hasn't got the time to keep up with
first-hand information about the hacking community, then they become heavily
reliant upon the security people they contract.  which ultimately brings us
back to the point that its the security industry that generates this paranoia.

> If PHC et al succeed in building a name for themselves in the media, they
> will become to Al Quida of the security  industry. Still very sketchy in
> detail, but a label for the risk. This in my opinion should prove a powerful
> weapon in the arsenal of those pushing for larger (or even some) budgeted
> capital for security related services.

why do you attempt to demonise PHC by likening them to a well-known terrorist
network?  it doesn't help your point at all.  if this DOES happen it will be
the fault of the whitehat security industry panicing.  just because al qaeda
is probably the most known terrorist organisation on earth, doesn't mean they
are the most formidable.  there are many other groups out there who aren't
even mentioned, yet could probably out-terrorise :) al qaeda.  catch my drift?
al qaeda is like the script kiddy organisation of the terrorist underworld.

> Ultimately a threat is going to strengthen the industry not weaken it. Keep
> up the good work PHC, your securing the internet ;P.

not really, seeing as the security industry can only protect its clients
against those bugs that are known.  i dont see it as being that hard for PHC
to come up with something original whenever they want to make a point.  hence
a threat is just a threat, it doesn't strengthen anything.  the only strength
gained is when unique attacks occur, prompting whitehats to investigate a new
technique, at which point it becomes redundant and probably wont be used by
the group again.  comprehend?  this brings us back to the original argument
that the only strength the security industry has is in the ability to palm
off obsolete attacks as threats in themselves.  a scenario in which the only
ppl moving to execute these attacks are leeches.  PHC has no need to leech.

anyway, i'd be interested in hearing your thoughts on this.

<3 sockz
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup