Re: informIT: Building versus Breaking

[Stephen Craig Evans <stephencraig.evans () gmail com>]

Hi Ivan (and Sergio),

Maybe I should have clarified my position.

I have no problem with security researchers and whitehats that
investigate and reverse engineer malware to make the world a better
place.

I have problems with those that create malware - under the guise of
"security research" - which then gets used by the bad guys.

I'm not saying that one can never stop breaking into things. I just
don't like the glorification of creating malware by the so-called
"good guys". If all of that energy instead was placed into prevention,
then we would be better off.

Let's say this...

I have a badness-ometer scale.

On the left side of the scale is ignorance and darkness. The bad guys
are operating on their own wits. There are no security researchers
that publish their results.

On the right side, we have today's world of infosec, where everybody
is crawling all over themselves to make a name for themselves and get
recognized - by tooting their horn and to see how cool that they can
be hacking into stuff.

It is what it is and I'm not under any illusion; I'm just not gonna
accept this glorification of bad guys pretending to be good.

Stephen

P.S. One might argue that a whitehat or security researcher can't
change sides and go into prevention, or in other words, be a Builder
instead of a Breaker. They can't because they don't have the skills to
do it.

Which is precisely my point.







On Fri, Sep 2, 2011 at 11:05 AM, iarce <iarce () corest com> wrote:
> On 9/1/11 2:29 AM, Stephen Craig Evans wrote:
> > Sergio,
> >
> > "Blackhat IS about breaking stuff, the vendors area offers defense
> > products and services to improve your security. For building stuff (as
> > in development) there are other conferences out there. People go to
> > Blackhat to be aware of what things might go wrong in order to protect
> > better themselves."
> >
> > I really take offense to your comment.
> >
> > I am seeing malware out in the field that is based on work by
> > so-called noble "security researchers".
> >
> > My litmus test is: If there were no whitehats and security
> > researchers, would we be better off at fighting the bad guys?
> >
> > My answer is emphatically "yes".
>
> That is the kind of reply and opinion that very rapidly leads these
> debates to very divisive arguments.
>
> First you are taking offense then your are pejoratively dismissing other
> peoples work (by generically putting the quality or motivation of their
> work in question) and finally saying that you'd be better off if a whole
> community of people did not exist. Replace "security researchers" with
> any other collective and your statement would read very very nasty
>
> > What I hate is that "security researchers" and the "white hats" try to
> > present themselves as noble and as the good guys. It's f*cking
> > bullsh*t and a total scam. Ten years later for me and the state of
> > infosec is much worse.
>
>
> Hmm I wonder if I should take offense of that statement? You question
> the motivations and honesty of an entire group of people and imply
> they're responsible for an alleged degradation in the state of infosec.
>
>
> > There is also a nasty faction of infosec that will never want to solve
> > problems which will put themselves out of work. Yep, I am throwing
> > down that gauntlet FWIW.
>
> Stephen, it is way past the time - it was 10 years go too- for people in
> the infosec community that claim to have an interest in improving the
> state of infosec to move away from confrontational stances and bigotry
> and to engage with the offensive security community in a constructive
> manner, putting prejudices aside and without invoking a moral high
> ground that they've not been given by divine intervention.
>
> Personally, I would be glad to put you out of work. Unfortunately I
> can't do it alone.
>
>
> sincerely,
> -ivan
>
> --
> Ivan Arce
> CTO - Core Security Technologies
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________



-- 
http://www.linkedin.com/in/stephencraigevans
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________