[Full-disclosure] Security Researcher Not Particularly Humiliated
jf at danglingpointers.net
Tue Apr 10 10:25:11 BST 2007
You know, years ago, when I first started running Unix I prided myself on
having a fairly secure box, I read all the *-Security-HOWTO's, turned off
unnecessary services, which meant I turned everything off, put my boxes
behind multiple firewalls and laughed when people got owned. Somewhere
along the lines it occurred to me that my security was largely not founded
in reality because many of the computers connected to internet require
some services to be running, and that my perception of my skill set in
security was largely flawed due to cutting my boxes off really just meant
I was hiding from any possible threat, and thus my beliefs were
The same can be largely said about hiding behind layers of pseudonyms, it
takes a bit of courage for people like Raven to come out in public, not so
much because of the random few who would heckle, but because she makes
herself visible and gives an identifiable location to attack; because she
can potentially be a target. She was correct when she stated that '0-day
happens', are any of you so confident in the quality of the code you run?
It's an interesting industry we live and work in because even if you've
reviewed every line of code in every application and operating system you
run, chances are good you missed something, and the fact that many of the
people choose to hide behind throw-away email addresses and shifting
pseudonyms shows their lack of confidence in their own security, and that
to me, is something that should warrant humiliation.
On Mon, 9 Apr 2007, Ham Beast wrote:
> Date: Mon, 9 Apr 2007 09:21:03 -0700
> From: Ham Beast <i.am.hambeast at gmail.com>
> To: full-disclosure at lists.grok.org.uk
> Subject: Re: [Full-disclosure] Security Researcher Not Particularly Humiliated
> bàsicamente can you comment in the rumors that alike to the vast majority of
> female investigators of the security you used to be a man?
> beyond that on the rumors that with you shoes of clown are apparent and
> jacket sports is being worn ?
> On 4/8/07, Raven Alder <raven at oneeyedcrow.net> wrote:
> > Hiya --
> > > Security conference staff needs to do a better job of screening
> > > their audiences to prevent this sort of harassment during
> > > presentations. I must admit that I am afraid to present at future
> > > conferences if there is the possibility of being humiliated like
> > > this during my talks.
> > As the researcher in question, I didn't feel particularly
> > humiliated. Sure, I thought the guy was a troll, but I figured that he
> > was just being a jerk to me because he had some chip on his shoulder and
> > couldn't find anything to complain about in my talk. But really, his
> > big tac-nuke against me was that there was some undisclosed bug in
> > Apple's code? That's hardly my fault. I don't write their OS, and the
> > thing was fully patched, firewalled, hardened, and still got popped.
> > Shit happens.
> > I didn't go public with it because I wanted a smoking gun first.
> > Security is very much a "show me" industry, and I didn't want to make
> > claims that I couldn't substantiate. I did approach Apple, and they
> > pretty much blew me off. I sent them a detailed event report, offered
> > up my system for forensic analysis, and offered to help in any way I
> > could. They went to the press, gave a reporter my name (I had not gone
> > to the press), and dished some crap about how I let my boyfriend use my
> > computer and he probably did something to disable my firewall and cause
> > it to auto-own itself or something. Dude. My boyfriend does not have
> > admin permissions on my machine, for starters. Way to help, Apple.
> > After realizing that Apple were not my friends and were more
> > interested in their PR spin than they were in finding and fixing the
> > problem, I stopped talking to them. I had several OS X geeks have a
> > look at the system, and none of them were able to find anything more
> > conclusive than I did. Forensics geeks, same thing. So, I dumped the
> > filesystem for posterity, vowed that no OS X box was going on a hostile
> > network again, and reformatted the thing.
> > Sorry, folks, but I'm not going to share my filesystem dump with
> > people that I do not already know and trust. Don't even ask.
> > Not even if you're Apple. You leak my name to the press when
> > I'm trying to help you find your flaw, you get no more help from me.
> > All of this is pretty irrelevant to the talk I gave. Still, I
> > don't feel that audience screening is the way to solve the problem -- I
> > don't want to quash honest questions and interest in the projects I'm
> > working on, and I think any screening that wouldn't be trivially
> > defeated by lying-fu would be draconian enough to be detrimental to free
> > and open discourse. There are always going to be trolls. I think the
> > audience and convention response was about as good as it could have been
> > -- the troll got told off by several people, two of them with the mike,
> > but it was pretty clear that most people were more interested in the
> > technical content of the talk than they were in his effort to get my
> > goat. The conference organizers offered sympathy, and that was kind of
> > them; I believe the guy got pitched out of the con for going on to
> > harass a few other folks too. Charming gent.
> > So, really, I don't think I have anything to be ashamed of, and
> > I certainly don't feel humiliated. I can see why getting ad hominem
> > questions might make getting up on stage more intimidating for future
> > speakers, but I don't intend to let that shut me up. [grin]
> > Cheers,
> > Raven
> > --
> > @
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.