[Full-Disclosure] Security community or commodity?
Uncle Scrotora Balzac
scrotora at hushmail.com
Tue Feb 10 14:34:33 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hi boys and gals - it's time for yet another episode of Uncle Scrotora's
"Views and Rues for You to Use and Abuse!"
If you've wasted the time to read some of Uncle Scrot's posts recently,
you might be thinking that ol' Unk thinks that all the problems in the
security industry today stem from the poisoned and tainted information
vendors pump into an industry that's more than willing to soak it up.
Actually, the problem with the security industry today *originates* from
the "community," not the other way around, as many of ~them~ would like
you to believe.
However, interestingly enough, the same willingness by the folks lining
up to be a part of this industry and absorb the tainted "information"
spewed by vendors also fuels the other pool of jokers running around
- -- the underground. There are so many people now desperate to believe
the garbage antidotes floating around, feeding the distended idea of
an "underground." Legions of structured hacking armies existing simply
to justify the existence of those who want nothing more than to blindly
At this point in these ramblings, you might have one of two types of
reactions. The first goes something to the effect of, "What the hell
is this Balzac talking about? I have friends who are VERY are hard core
(circle one:) [hacker(s)]/[researcher(s)]/[security company owner(s)].
They are so smart, and when we go to security conferences, everyone talks
about how (circle one:) [intelligent]/[crazy]/[sexy]/[hard core] they
are." It's possible that you might not be as lucky, and may have a response
vaguely similar to this one, such as, "I was at HardCon when I became
friends with I. E. Less. We talked for *at least* 5 minutes, then we
went out to the bar and hung out together (with like 15 other people).
If you want me to introduce you, let me know. I was going to check and
see what new sploits he's got anyways." Regardless, you still fall into
the same category.
Let's keep with the current example before moving on; that is, a typical
security conference. The recipe for a security conference follows: Take
one location, preferably some place with lots of strip clubs. This is
so all the geeks can fantasize about getting their little ding-dings
wet while throwing dollar bills at some hot chics. These same girls are
social engineering them harder than the geeks do in chat rooms when they
act like women to hook up with all the lesbians in chat. (You know who
you are, B-digity-dog... Ain't a compromised up-stream a bitch?) Next,
add to that location a bunch of speakers. Getting speakers is not be
an overly difficult task. Plenty of folks out there are doing work that
is so incredibly academic in nature that the only way any of their ideas
will ever get anything close to play is for said "scientists" to stand
in front of a few 100 people eluding to how dangerous their findings
are. Better yet, they may opt to publish fictional books about how bad
things could be for the world if real life worked like their self-righteous
views of their work. But hey, writing it on paper as truth has worked
for plenty of religions thus far, so give it a go! Interesting, or not,
there's always people out there who'll believe it's important as you
tell them it is. Who cares if it never *really* gets used in the wild???
However, you cannot fill all speaking slots with these people. There
are two other categories of speakers that no Con should be without. Next
are the ones who have canned talks they give at Cons all around the globe.
The material may change slightly for each show (ie: the opening joke).
However, since the content is basically a summary of information everyone
in the audience could get by reading a book or couple of websites, it
makes for a highly portable presentation. It's not the speakers fault
though. When they developed the presentation a few years ago, the material
was fresh and interesting. They can't help it if you messed things up
by learning about their topics *before* getting stuck in their session.
Better yet, most of the dudes giving these talks are the best speakers
around since they have the most practice repeating the same thing, over,
and over, and over, and over. It's much easier not to worry about adding
value to the material with unique insights or original research, and
makes for lower overhead in reusing material for years to come.
The last types of speakers are truly the most valuable. They come from
vendors, or better yet, vendors that pose as open source projects, and
they come to share new technology with your audience. Their messages
are purely objective and agnostic, as long as you use their products
and buy their books. This last group of people is small [thankfully]
since they're like religious zealots. However, in their eyes, they're
just trying to "save" you. Think of geek versions of a harikrishnas.
These speakers are good to have in severe moderation. It's like having
Howard Dean around. He's a total chimpanzee, but it's fun to watch what
he does next. These speakers make for the same kind of cheep entertainment.
So now that you have a location and speakers, you need people. With the
first two hurdles out of the way, the rest is easy. You see, speakers
will do a great job of patting each other on the back and telling each
other how [intelligent]/[crazy]/[sexy]/[hard core] they are, but since
most Cons only have around 15-50 speakers, that's not nearly enough to
feed the ego of a typical security expert. Because of this, they will
usually bring their own auxiliary sense-of-self inflation staff. Usually
4 to 8 per speaker. These folks are akin to groupies, but don't be fooled.
They're not as fun to hang out with as a typical groupie, nor do they
have cool tattoos or weed to share. These people will help enlarge the
conference attendee list, but will not push it into the profitable range.
To make the cash, you need to get the word out though all the portals
that hard core security people use, like secfocus and Bugtra[sh]q and
all that. Besides, IRC doesn't support banners. Anyways, these people
usually come from companies that are scared shitless (although not exactly
sure what they're scared of and why, they just know they should be) so
they'll pay the coin to send their people to your Con in hopes of gaining
some valuable insight to the world of blackhat h4x0r5. Chances are though,
their people will only be subjected to excessive amounts of back-patting
and ego-stroking, but if they get a few good lap dances at the Con's
location, who can fault them?
But alas, I digress. We were talking about belief. Belief is what makes
a community so strong you say? To this, I do not argue. Belief is exactly
why the security "community" is so strong. So many people that want to
believe they're so much more than they really are. No, finding some new
way of getting an obscure (and in many cases outdated) "attack" past
an IDS because of some little HTTP prank doesn't make you amount to a
hill of shit. So many people that want to believe they're friends with
someone famous. No, if you pulled your head out of your screen and looked
around the real world long enough, you'd find that people really don't
care about your buddy Eyesack Newtun (screen name, of course) who can
get single packets past a piece of network hardware (but you can see
the box exists!). So many more people that believe ambiguous answers
to indirect questions must mean they, "really did do it since he/she
won't talk about it with me. That's SO hard core!"
And for the 20 of you on this list that think this is bullshit because
you know you're a living portion of the "underground"... Acting like
an asshole to anyone who's not clinging to each other in your little
knitting club or playing silly computer pranks with you, doesn't make
you the underground. It makes you a prick, and there are far more talented
(and decent) people who enjoy watching you for entertainment.
In other words, so many layers upon layers of people who don't DO. They
just regurgitate the talent of other people. Good. Keep trying to release
papers that do nothing but describe and summarize the work of others
and see what happens. From scanning to rootkits. One, after another,
after another - until they're all that's left anymore. Just repeating
each other, all the while amplifying each other's self-esteem. An orgy
that's driving the original talent and new talent into other circles.
These new circles are what I imagine security conferences were like long
before I was around to attend. I'm glad they're not conferences now.
It'd be too easy for you to show up with your hardcore friends.
- -Unk Scrot
"Unconsciously we all have a standard by which we measure other men,
and if we examine closely we find that this standard is a very simple
one and is this: we admire them, we envy them, for great qualities which
we ourselves lack. Hero worship consists in just that. Our heroes are
the men who do things which we recognize with regret and sometimes with
a secret shame that we cannot do. We find not much in ourselves to admire,
we are always privately wanting to be like somebody else. If everybody
was satisfied with himself there would be no heroes."
- - Mark Twain's Autobiography
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure is hosted and sponsored by Secunia.