From: aliver at xexil.com (aliver@...il.com)
Subject: Ron D. is so cool.

Folks,
	Before I reply to Ron and properly stir him up let me express my
sentiment that this list has now been rendered worthless as a source of
any real "security info". Any attempt to save it seems, to me, futile. It
serves now only as a space for a never-ending full-disclosure debate
rather than a space for real disclosure of anything. It reminds me a bit
of eternal battles in Valhalla. Now that my attitude has been properly
adjusted by this new environment, I'm starting to enjoy it. So if it's on,
then it's on.

On Thu, 15 Aug 2002, Ron DuFresne wrote:
> The two brighter sec-industry folks, Theo de Raadt and Shane Macaulay,
> at least would not comment

	Well, for Theo's part that's probably because he's learned that
antagonizing the dark side leads to the denigration of his own self-image
as head security alpha-geek. GOBBLES properly cock-blocked him a couple of
times after he made some pretty far reaching claims about his own
pet-project, OpenBSD. Theo isn't quiet due to his intrinsic understanding
of your ego-feeding theory. He's quiet because he's still in shock. That's
how primmadonnas are.
	Let's examine this "bright" hero of yours.
1. He joins the NetBSD project.
2. He's such a jerk and a crybaby, that after repeated chances the
   NetBSD team removes his CVS access and boots him.
3. He immediately forks NetBSD into OpenBSD and cleverly claims a
   "focus shift" to the "secure by default".
4. He immediately gains a following of pen-testers and "security pros"
   who are known in Blackhat circles as "Theo worshipers".

	Ask yourself why the OpenBSD folks don't like to admit that 95% of
their project stems from work done by the NetBSD team. Ask yourself why
Theo gets no respect from Blackhats. It isn't because he won't give them
props for breaking him off some on a regular basis. Most importantly to
you, Ron, is to ask yourself why "Theo Worshipers" is an apt description
of the OpenBSD "movement". I have a theory; it goes something like this.
The greater part of them can't code in C and/or can't really grasp what
kind of a shyster Theo really is, and how far out of whack his rhetoric to
deliverable output is. They buy the rhetoric, ("secure by default" sounds
good right?) and don't know any better. So, to them Theo is a security God
who has blessedly bestowed upon them the OS of their dreams. They can be
leet _and_ wear the white hat, too. W00t!
	Ron, weren't you the same guy who mentioned Marcus Ranum, too? Or
I should say Markus "I'm soo pissed because Snort flattened my company"
Ranum. We could almost populate Tupac Shakur's "Who's Who of Whitehats"
with your heroes. I wonder if you are one of those executives who came to
demo NFR 5.0 at a company I used to work at and nearly burst a blood
vessel when I broke the sensors in about 3 discrete ways. That was, of
course after they claimed it was probably just a "configuration error". Of
course I didn't turn over the information on how I did it. I just gave
them a vague (and incorrect) description, and properly leaked the info on
IRC. See, I don't turn my info or exploits over to commercial vendors.
Especially ones who support trying 16 year olds as adults and locking them
up in prison for defacing a web site.

> on the childish antics of these mini-terrorist-wanna-bes.

	There is the "terrorist" term coming out. It's popular nowadays to
label folks as terrorist. You seem to be a bit squeamish about it, though
(using the "mini" prefix). I wonder if you have ever called that "turn in
your neighbor" terrorist hotline?
	One man's terrorist is another man's guerilla soldier. The
founding fathers were "terrorists" to the British. Remember that. Contra
death squads were "soldiers" to us, but Sandinista freedom fighters were
"terrorists". Who were the ones torturing children, and burning villages
to the ground? It wasn't the people the CIA was funneling money to, I can
tell you that. Ask the people of Guatemala who the terrorists were when in
1954, a legally elected government democratic socialist government was
overthrown by an invasion force of mercenaries trained by the CIA at
military bases in Honduras and Nicaragua and supported by four American
fighter planes flown by American pilots. So, anyway, reigning in the
"terrorist" rant, let it suffice to say that the term used so frequently
by people like yourself has completely lost it's meaning. You use it when
it suits you, then you act like it never applies to actions you sanction.
	You think you have the motivation of Blackhats all figured out eh?
Good for you, Ron. That is exactly the kind of ignorance and
self-importance that'll allow them to thrive.
	Personally, I want to watch it all burn, anyway. The whole
corporatist way of life, with their porn distribution network (aka The
Internet) and all. I might be pimped by them, but I don't have to like it
or act like it's cool. I'm not optimistic enough to think that
all-pro-blackhats and script kiddie armies will be enough to eradicate
corporatism.  However, it pleases me that such folks make their life
inconvenient. It also puts a smile on my face that they get under your
skin and get you all riled up, Ron. For that last fact alone I say "GO
BLACKHATS!".

> Well, there's feeding into their own mania for one.

Wow, I'm totally in awe of these Blackhat, dudes. They are the bomb. Blood
pressure rising yet?

> The old I wanna see my name in lights and posted all over the place
> acknowledging my l33tn355.

They are silly-gumby-fresh-elite, and I must give them mad props.

> Better that if you have names, they be spilled to the proper authorities
> to bring these lamers to the knees of the justice system.

	Have you ever considered the life of a CI? That's what the cops
call "criminal informants". Of course you don't have to be a criminal, you
can just turn people in for any little thing, and all the while make money
in the bargain. I hear one guy cleared about 35 grand from the feds by
telling them a parking garage attendant was a class one coke dealer. He
had to string them on a few months, and his target ended up in jail for a
couple of life sentences, but it's money right?
	Anyhow, I bet you'd really enjoy the lifestyle. You could go
around "bringing people to the knees of the justice system" and make a
little cash on the side. It doesn't matter what crimes they have really
committed, but just so long as _you_ think they are guilty. That's what
really counts after all, right?

>  Hopefully you are not enabling them with some other childish whim of
> 'not telling' on your peers for sure.

We must never reveal the uber-secret names of these 31337 heroes.

> Certainly avoid feeding their limited egos

Who says their egos are limited? What if they are unlimited?

> be part of a concerted effort to end their tantrums in the halls of the
> legal system

See what I mean about the CI bit? I'm telling you, this is the life for
you, my man. Go for it!

> and make their lives as tough as possible to persist in these rantings.

Yeah no sense to acknowledge any of this First Amendment baloney. Let's
make it as hard as possible for these "terrorists" to "rant".

> Thanks,

Oh you are sooo welcome.

> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart

Wow, that's a neat quote. That's the first cool thing I've seen from you.
Wait, it's not from you. Never mind.

> ***testing, only testing, and damn good at it too!***

Would that be pen-testing? ie.. Using tools written by blackhats to make
money for the man, and to feed your oh-so-obedient children? I'm glad you
are good at testing. That must be great for you. I personally don't test
or write documentation. I just write code. Woe is me.

> OK, so you're a Ph.D.  Just don't touch anything.

Do I detect some penis envy here?

aliver

Powered by blists - more mailing lists