[<prev] [next>] [day] [month] [year] [list]
From: dev-null at no-id.com (dev-null@...id.com)
Subject: the sides of security(a 0day post)
The sides of security.
I enjoy the all the conversation over this list, although a majority of the points
expressed by sockz and democow are valid and I agree to most of what they say I have
to say that the quality of their arguments are low. I think this is having a negitive
effect on the true points which they are trying to express. Put some well thought out
arguments on why/how the sec.industry should change and you will be much more
productive. Marcus ranum has an excellent website full of great stuff -
http://ranum.com/pubs/index.shtml (I also use this site as an example of someone
keeping the sec industry in check while not being blackhat). Another great resource
with very well thought out arguments on discloser/sec.industry would be the old
anti.security.is site and message board. Avaliable at
http://web.archive.org/web/20010923032408/http://anti.security.is/ (down atm).
Anyways, the point I will try to make in this post is that of how the topic of computer
security has became so large. I am sure with some good research, thinking, and
detication someone could come up with a very insiteful paper on this.
What draws people to computer security?
This is a broad question, but basicly the way I see it is that computer security is
an exciting feild, not many will deny this. Some see security as the most cool
computer subject. Some see it as the most fun. Some see it as the most challenging.
Some see it as the most profitable.
The ones who see it as cool usually are seeking fame. Although I feel it is ok to take
credit for things you do, one must put a limit on how far they are willing to sell out,
damage systems/people, or just do unethical things. Once you start releasing exploits
and vuln info to the public (or wide range of friends/underground) you must relise the
effects this has on thousands of people worldwide. Is it worth giving people the power
to cause millions of dollars of damage just to see your name in lights and have a few
people think you are cool?
People who see security as fun or challenging are fine, aslong as this fun stays in
check. rm -rf / might be fun for some. Others writting a firewall might be fun. This
is a personal decision, and others should not judge. Just because you do not agree with
someone else's ethics does not mean you should try to force yours apon them. State you
opinions and perhaps they will change their mind. Everyone evolves. I used to be
full-discloser, after information, time, and thought I have changed to non-discloser.
Perhaps one day I will change again (maybe "responcible" discloser). Basicly, let
people do what they wish and you the same.
<phreck> ive got an idea. we should all just do whatever the fuck we want.
<zilvio> fully disclose <zilvio> if one desires
The people who truely desire any given subject will always dislike the shallow ones
who are in it soley for the money. There will always be backstabbers, unethical, and
sometimes downright bad people in business. It is the nature of this society at the
current time. Keeping these people in check is hard to do. Should we be mad that
some are cashing in on something which we do for the love of it? Sometimes I think
yes, people are stealing ideas from other, spreading exploits, spamming their company
name, and using other unethical methods to gain (force) employment. Othertimes I think
back to "all just do whatever the fuck we want." and really don't give a shit if these
people are making money, I'll just keep doing what I like to do and will put in measures
so that they cannot profit (as much) off of me.
Suggestions to prevent people from getting into security:
Cool/Fame - Take away full discloser. Make fun of them. Make it commone knowledge that
those who do not disclose can/are more cool than those who do. Suggest other ways to
be cool, to get famous, or to prove how smart they are instead of whoring code and vuln
info.
Fun/Challenging - Take away the fun of it. If they are blackhat lock down networks or
leave them so open it takes away the challenge of getting into them. Give them no
reason to attack you - flaming people who are willing to cause harm is usually not a
great idea. If they are whitehat then don't attack anything and they will not have
fun protecting it. I suggest the best thing for people who really dislike the
security industry to do is to just quit security all together. There is no way to
damage them while you are attacking or defending computers. Espechially if you are
attacking, this is creating business for them.
Often times people find no fun in something no one else cares about. If you ignore
people sooner or later they will generally quit doing what they are doing. If you
give things to people without putting up a challenge it is often no fun. Part of the
fun is the reward from proving that you could do something (get into a computer or
protect a computer).
Money - Don't attack computers, less computer attacks means less employment. Don't give
information out. Often times security information can be sold or used to gain
employment or money. Don't get others into security, many people start off doing
security for other reasons then switch to the money reason later on. How do you force
sec.industry to loose money? Destory the market. Don't give them anything, no attacks,
no info, absolutely nothing to sell (they will still sell, but not as much).
The fear PHC, ~el8 and such groups put into companies is actually helping sec.industry.
If it was up to them I think there would be hundreds of publicly known groups going
wild on systems and proving that no one is safe from an attack. This helps sell their
service very well.
I would also like to note a few very serious questions everyone on this list should
spend a bit of time thinking about:
What are my true motives for being into computer security?
Is my goal to help or hurt computer security? Is what I am doing helping achieve my goal?
--
This message has been sent via an anonymous mail relay at www.no-id.com.
Powered by blists - more mailing lists