mailing list archives
Re: Wired.com: So Many Holes, So Few Hacks
From: batz <batsy () vapour net>
Date: Mon, 30 Dec 2002 14:35:41 -0500 (EST)
On Mon, 30 Dec 2002, Richard M. Smith wrote:
:Experts who discover and report security holes seem to be far more
:industrious than the malicious hackers willing or able to exploit those
From any perspective that matters in any broad sense, it is ultimately
the same people who both discover and exploit software vulnerabililties.
If not as individuals, at least as a group. The division between good
hacker and bad hacker has more to do with who pays us (or doesn't) than
with our sense of gratification from finding bugs. The good/evil
dichotomy is arbitrary and makes everyone look stupid. It's about
time it was disposed of.
:But those same experts also cheerfully confess that most exploits
:aren't all that exploitable, and that the security industry profits by
:stirring up fear and frenzy.
Like any industry, there are generally only a handful of people who
comprehend the value of what it is they do and the services they
provide. They are easy to spot because they tend to be filthy rich and
lying on a beach somewhere, having cashed out and split before these
discussions even start.
:Experts also wonder whether they and their colleagues devote entirely
:too much time to pouring over program code looking for possible
Does anyone else find it conspicuous that the companies who make all
the money don't bother spending time finding new bugs? The reason is,
while it may be very useful for advancing our understanding
of how these bugs evolve, it does very little to sell more widgets.
If I had $80k to drum up new business, and investors breathing down
my neck, I wouldn't spend it on having 0-day exploit code written,
given the goal at hand and possible alternative solutions.
Hackers write code and find bugs. It's a discourse. Companies sell
software and services. It's a business.
The balance of the two makes for a sustainable and reasonably
cool place to work. However, there are sacrifices made to
maintain that balance, and when investment is involved, and
push comes to shove, we all know who wins.
The industry needs to grow up and recognize where its value is, and
the discourse needs to mature and become a valuable critical perspective
from which to analyze business and other (more interesting) systems.
Hackers are alot like engineers, but with imaginations.
You'd think that would be the formula for success, but it's
really just a way to make people think you are an unremarkable
engineer, or too technical to be creative. They can always find
duller engineers and flakier creative types. This is kind of ideal,
because that leaves us content to use this newfound extra time
to just keep on hacking. ;)
Full-Disclosure - We believe in it.