Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Beyond black, white, and grey: the Yellow Hat Hacker
From: hellNbak <hellnbak () nmrc org>
Date: Tue, 19 Nov 2002 00:11:22 -0600 (CST)

On Mon, 18 Nov 2002, Ron DuFresne wrote:

Oh yes, it's very important to give these kids that sit in efnet #phrack
all day discussing the 'glorious' escapades of the DC snipers, or how they
can't wait for the next WTC terrorist fiasco to strike.  Giving them a
platform to further their rants about an industry that have never had an
interest in supporting because it limits their abilities to comit internet
mayhem has no merit.

Are you really nieve enough to fall prey to their shock tactics?  Come on,
hasn't Maryln Manson, and the WWE taught you anything -- the more shocking
and offensive you are the more people you will attract and the more
attention you will win.  Their rants -- when they are not trying to shock
people do have merit.  The security industry is falling into a horrible
state and I think its up to all of us who truly care about security to fix
it.  I am just unsure how, so I for one I am willin to put up with the
flames and the occassional shocks in order to hear others opinions and

Of course Steve, you didn't ignore me when you made me one of the propose
speakers for you failed CSIC conference this year.  go ahead give these
lamers a platform, encourage them.  But, please do it off list, why do you
have to subject the whole list to these diatrabes?

The talk you proposed was good enough to get past *all* of the reviewers
(not just me).  So whats the issue with that?  Yeah the conference failed
due to many factors, poor planning, high costs, among a few.  Live and
learn.  The point is Ron, you are fueling the flame wars with these guys
with responses that are nothing but flames, why not try and hear the true
message that they are getting across -- its nothing new:
"The security industry is full of snake oil salesmen -- BEWARE".

On Mon, 18 Nov 2002, hellNbak wrote:

On Mon, 18 Nov 2002, ratel wrote:

First, ignore Ron -- everyone else does.  :-)

Desist what? I don't see why we can't have a reasonable discussion about
the idea that putting exploits in the hands of script kiddies while
cashing in and making a great show of how much you care about protecting
security is hypocritical, that's all. I happen to think this is a deadly
serious topic we can't afford to sweep under the rug just because we
happen to disapprove of someone's elocution.

I agree.

Is calling oneself a blackhat really a prerequisite to despising
derivative snake oil hucksters and back-stabbing money-grubbing frauds?
It certainly shouldn't be. You'd think anyone who actually cares about
improving security would find the current state of affairs every bit as
nauseating and beneath contempt as the PHC.

OK, I am confused here.  Gobbles tells me that I cannot be considered a
hacker because I don't break into peoples systems (blackhat activity) I
secure them.  I am fine with that but yet I agree that there are *many*
"snake oil hucksters and back-stabbing money-grubbing frauds" in this
industry and they should be squeezed out of the industry - yet I am not a
blackhat, I am one of the hated whitehats I guess although I have never
labeled myself as anything but someone interested in learning.

I do not agree that it means that we should not share information amongst ourselves
and system administrators.

My problem with how this whole thing is playing out is that it seems that
the wrong people are being targetted.  Yes, ISS is an organization full of
slick talking salesmen who have no business even using the word security
let alone selling it and X-force is a joke.  But, I have seen firsthand
far worse companies and organizations out there.  Here is an example -
www.eeyenetworks.com (not to be confused with eEye although they would
like you to).  Go look at the google cache of their events page -- in
particular their Blackhat Windows 2000 claim and their claim to be
sponsoring/speaking at BH Windows 2003.  I emailed them asking about the
talk description as it was word for word copied from someone else's BH2001
talk and they ignored me but removed the description.  hmmmmmmm

I have a real fucking problem with idiots who know nothing, understand
nothing, and won't take the time to try and learn it standing up in front
of IT people and selling them "security".  You are right, these people
care nothing for security and only care that this is the "next big thing"
to pad their wallets with.  Call me what you want (I know I will get
flamed) but at least I try to learn from the infromation everyone is kind
enough to share.  Some of us who you are tossing into the same bucket as
these assclown snake oil salesmen actually do truly care about security
and hacking for that matter.

So instead of flaming and fighting on this list -- what the hell are WE
going to do about it?

Plugging our ears and patting each other on the back won't make anything
about the situation better. Maybe encouraging more people to take a good
hard look in the mirror about why they're doing what they do will.

So, what do we do about it?

If my thoughts on this honestly strike you as being some part of a
childish rant, so be it. If my failure to provide my real identity and
credentials here bars my entry into the class of "serious people" worth
considering, that's fine too. After all, we all have our own ideas about
what makes someone a laughingstock.

This isn't a childish rant.  It is the truth and the unfortunate state of
the security industry.  My problem with these rants is that no one is
willing to put their names to them.  Shit, for all we know you could be an
X-Force employee.  j/k  :-)

But I would hope that the message itself would be somewhat independent
of the messenger, given that so very much hangs in the balance.


"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
      ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]