Full Disclosure mailing list archives
RE: more security people =3D less security
From: "Keith Pachulski" <keithp () corp ptd net>
Date: Wed, 4 Feb 2004 07:35:37 -0500
bravo =) -----Original Message----- From: Uncle Scrotora Balzac [mailto:scrotora () hushmail com] Sent: Tuesday, February 03, 2004 3:22 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] more security people =3D less security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many hackers (who also view themselves as security experts) are pissed off by the landslide of new people, products, and money entering into the security space. You hear about how things are changing (for the worse), and posers, and blah, blah, blah. Hell, you even got hackers releasing [nothing short of] press releases about why they're leaving the scene because the scene is just too different nowadays. Yes, it's true there are many more people becoming security "experts" (using this term as loosely as possible) every day. And yes, it's also true companies are running to the marketplace faster than Whitney Houston to a line of coke. And yes, it's also true that corporations are driving this trend by pouring obscene amounts of money into these companies without understanding their halfass solutions. But, honestly, you really can't ask for a better situation. If blackhats aren't *embracing* this trend, they're missing the boat. Of course, the obvious benefit: The more people pulled into this space from various other backgrounds, the lower the average security administrator's level of knowledge becomes. This "dumbing down" happens for several reasons, but the most significant is the way in which these new generations of security administrators are educated. Typically, they are forced into these positions by employers that realize they desperately need security staff. So, they move some random people into said positions. Not uncommonly, network admins or sys admins that sucked in their previous positions. Now you've got some guy sitting there trying to figure out which way is up, so where do they turn? To vendors. Be it a vendor of hardware/software solutions, or a vendor like SANS (selling propaganda, errr, I mean, "education" about open source products backed by commercial entities which SANS purportedly invests in). Since vendors are offering solutions criminally acute in focus (especially compared to the visibility required to solve the "problems" said vendors are trying to address), the vendor "educates" the willing client about the threats the client faces and how the vendor can save the client's world. Since many admins have been leaning about hackers and threats from the perspective of vendors who are trying to make a sale -- typically sales people or technical sales people like system/field engineers, like the blind leading the blind -- they have no concept of the *true* threats they need to be concerned about. It's not uncommon to hear people talking about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote access to a system. Good, keep focusing on these "attacks." (And YES. ALL the other attacks these vendors focus on are just as lame as these examples). Typical hackers these days need to worry about power surges more than security tricks. Although it grates on the nerves of everyone who knows better to see all these pen testers running around selling Nessus reports, or hear security admins spouting off illogically about how they use product XYZ to accomplish all these lofty objectives... Well, it also gives you a wide open map into the small areas they're actually looking into protecting, and the vast open areas they have no clue how to protect, much less watch, or even what the hell to look for if someone even did notice an irregularity. So bring it on! We need *more* new security people and more new products to create more confusion, ambiguity, and false senses of superiority. Think security consoles only being released for Windows anymore doesn't signify anything?! Come on out, the waters fine! - - Uncle Scrot _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- more security people =3D less security Uncle Scrotora Balzac (Feb 03)
- Re: more security people = less security Michael Graham (Feb 04)
- <Possible follow-ups>
- RE: more security people =3D less security Keith Pachulski (Feb 04)
- more security people =3D less security macmanus (Feb 04)
- Re: credibility (was 'more security people') Gregory A. Gilliss (Feb 04)
- Re: credibility (was 'more security people') rhetorical question (Feb 04)
- Re: more security people =3D less securityi Keith W. McCammon (Feb 04)
- Re: more security people =3D less securityi Damian Gerow (Feb 05)
- Re: more security people =3D less securityi madsaxon (Feb 05)
- Re: credibility (was 'more security people') Gregory A. Gilliss (Feb 04)