lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: eyberg at umr.edu (Ian Eyberg)
Subject: black vs. white

greets-
  I think both hats need a good public relations team.  You both have valid 
points but you screw up when a) you don't know what your talking about or 
when b) argue for different points.  Let's summarize some points shall we...

1) blackhats break into systems illegaly
2) whitehats predominantly work in the infosec industry

Now let's use some good old set theory that most people can understand.  
An intersection set can be composed of people that work in the infosec 
industry and those who break into systems illegaly.  So, to say your a 
shade of any color hat to represent what you think is ludicrous.  Frankly 
I think the whole color hat argument is a stupid buzzterm whose time is up.

I can see why 'black hats' are pissed at the infosec industry.  Can 
anyone say David Endler and re-packaged advisories?  This type of 
'feeding off' of the other talent out there is just pure and simple 
unethical and shouldn't happen.  The problem it seems, is that a lot of 
'security analysts' pass their certs and figure they are good ol' hackers 
who can go collect big bucks from fortune 500 companies because they know 
that the company that contracts them is more ignorant of security issues 
than they are.  This severely pisses me off from two points.  Number one 
being that they are fake.  Number two being that they are screwing the 
company over that hired them.  We don't need to get into the 
anti-corporate america argument but a little kindness goes a long way and 
the golden rule is very pertinent here.

Let's analyze the white hat view now.  Let's admit it sucks to get 
owned.  Besides pride and humility when you tag any box, even if you 
didn't write all over index.php, you have caused major damage to the 
owners of it.  Many companies, educational institutions and other places 
of interest require said owned box to be completely revamped.  Well, that 
requires paying someone usually and many times jobs are on the line.  
I've seen several cases where a person was immediately fired because he 
failed to protect a box and somehow it made it into the public view.  Now 
you may argue that he should be fired because he didn't do his duty.  
Well, that's your view but if it was a one time thing; also, when was the 
last time you made a mistake?  How about the last time you went on 
vacation and you didn't bring a laptop?  uh-oh...

Here is the points:
  Everyone has their own 'code of ethics', usually copied from some old 
LOD tut written in the 80's or from even the MIT model train club but 
grow up and stop trying to trip each other.

blackhats:  owning a system because ppl 'deserve it' is equivalent to 
waging war->the only good outcome is better technology...and it's just 
not worth it. stop your pulpit preaching and go learn something else 
about computer security that you didn't know before...you have a drive 
for security but use it in a decent manner

whitehats:  stop pretending to be someone your not--if you don't belong 
in the field stop going to those 2600 meetings, stop scanning for those 
css vulns (and getting paid!) and go do something your actually good at. 
if you are good at what you do then set an example by not subscribing to 
all the standards set by people who don't know what is up.. ie: tear up 
your certs and prove yourself via other ways


blah. that was .02 rant; take it for whatever it was worth

-cyn0n

Powered by blists - more mailing lists