| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20021117203243.GA18696@umr.edu> From: eyberg at umr.edu (Ian Eyberg) Subject: black vs. white greets- I think both hats need a good public relations team. You both have valid points but you screw up when a) you don't know what your talking about or when b) argue for different points. Let's summarize some points shall we... 1) blackhats break into systems illegaly 2) whitehats predominantly work in the infosec industry Now let's use some good old set theory that most people can understand. An intersection set can be composed of people that work in the infosec industry and those who break into systems illegaly. So, to say your a shade of any color hat to represent what you think is ludicrous. Frankly I think the whole color hat argument is a stupid buzzterm whose time is up. I can see why 'black hats' are pissed at the infosec industry. Can anyone say David Endler and re-packaged advisories? This type of 'feeding off' of the other talent out there is just pure and simple unethical and shouldn't happen. The problem it seems, is that a lot of 'security analysts' pass their certs and figure they are good ol' hackers who can go collect big bucks from fortune 500 companies because they know that the company that contracts them is more ignorant of security issues than they are. This severely pisses me off from two points. Number one being that they are fake. Number two being that they are screwing the company over that hired them. We don't need to get into the anti-corporate america argument but a little kindness goes a long way and the golden rule is very pertinent here. Let's analyze the white hat view now. Let's admit it sucks to get owned. Besides pride and humility when you tag any box, even if you didn't write all over index.php, you have caused major damage to the owners of it. Many companies, educational institutions and other places of interest require said owned box to be completely revamped. Well, that requires paying someone usually and many times jobs are on the line. I've seen several cases where a person was immediately fired because he failed to protect a box and somehow it made it into the public view. Now you may argue that he should be fired because he didn't do his duty. Well, that's your view but if it was a one time thing; also, when was the last time you made a mistake? How about the last time you went on vacation and you didn't bring a laptop? uh-oh... Here is the points: Everyone has their own 'code of ethics', usually copied from some old LOD tut written in the 80's or from even the MIT model train club but grow up and stop trying to trip each other. blackhats: owning a system because ppl 'deserve it' is equivalent to waging war->the only good outcome is better technology...and it's just not worth it. stop your pulpit preaching and go learn something else about computer security that you didn't know before...you have a drive for security but use it in a decent manner whitehats: stop pretending to be someone your not--if you don't belong in the field stop going to those 2600 meetings, stop scanning for those css vulns (and getting paid!) and go do something your actually good at. if you are good at what you do then set an example by not subscribing to all the standards set by people who don't know what is up.. ie: tear up your certs and prove yourself via other ways blah. that was .02 rant; take it for whatever it was worth -cyn0n
Powered by blists - more mailing lists