On Mon, 18 Nov 2002, ratel wrote:
First, ignore Ron -- everyone else does. :-)
Desist what? I don't see why we can't have a reasonable discussion about
the idea that putting exploits in the hands of script kiddies while
cashing in and making a great show of how much you care about protecting
security is hypocritical, that's all. I happen to think this is a deadly
serious topic we can't afford to sweep under the rug just because we
happen to disapprove of someone's elocution.
Is calling oneself a blackhat really a prerequisite to despising
derivative snake oil hucksters and back-stabbing money-grubbing frauds?
It certainly shouldn't be. You'd think anyone who actually cares about
improving security would find the current state of affairs every bit as
nauseating and beneath contempt as the PHC.
OK, I am confused here. Gobbles tells me that I cannot be considered a
hacker because I don't break into peoples systems (blackhat activity) I
secure them. I am fine with that but yet I agree that there are *many*
"snake oil hucksters and back-stabbing money-grubbing frauds" in this
industry and they should be squeezed out of the industry - yet I am not a
blackhat, I am one of the hated whitehats I guess although I have never
labeled myself as anything but someone interested in learning.
I do not agree that it means that we should not share information amongst ourselves
and system administrators.
My problem with how this whole thing is playing out is that it seems that
the wrong people are being targetted. Yes, ISS is an organization full of
slick talking salesmen who have no business even using the word security
let alone selling it and X-force is a joke. But, I have seen firsthand
far worse companies and organizations out there. Here is an example -
www.eeyenetworks.com (not to be confused with eEye although they would
like you to). Go look at the google cache of their events page -- in
particular their Blackhat Windows 2000 claim and their claim to be
sponsoring/speaking at BH Windows 2003. I emailed them asking about the
talk description as it was word for word copied from someone else's BH2001
talk and they ignored me but removed the description. hmmmmmmm
I have a real fucking problem with idiots who know nothing, understand
nothing, and won't take the time to try and learn it standing up in front
of IT people and selling them "security". You are right, these people
care nothing for security and only care that this is the "next big thing"
to pad their wallets with. Call me what you want (I know I will get
flamed) but at least I try to learn from the infromation everyone is kind
enough to share. Some of us who you are tossing into the same bucket as
these assclown snake oil salesmen actually do truly care about security
and hacking for that matter.
So instead of flaming and fighting on this list -- what the hell are WE
going to do about it?
Plugging our ears and patting each other on the back won't make anything
about the situation better. Maybe encouraging more people to take a good
hard look in the mirror about why they're doing what they do will.
So, what do we do about it?
If my thoughts on this honestly strike you as being some part of a
childish rant, so be it. If my failure to provide my real identity and
credentials here bars my entry into the class of "serious people" worth
considering, that's fine too. After all, we all have our own ideas about
what makes someone a laughingstock.
This isn't a childish rant. It is the truth and the unfortunate state of
the security industry. My problem with these rants is that no one is
willing to put their names to them. Shit, for all we know you could be an
X-Force employee. j/k :-)
But I would hope that the message itself would be somewhat independent
of the messenger, given that so very much hangs in the balance.