| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.BSF.4.21.0212301323020.81324-100000@vapour.net> From: batsy at vapour.net (batz) Subject: Wired.com: So Many Holes, So Few Hacks On Mon, 30 Dec 2002, Richard M. Smith wrote: :Experts who discover and report security holes seem to be far more :industrious than the malicious hackers willing or able to exploit those :holes. >From any perspective that matters in any broad sense, it is ultimately the same people who both discover and exploit software vulnerabililties. If not as individuals, at least as a group. The division between good hacker and bad hacker has more to do with who pays us (or doesn't) than with our sense of gratification from finding bugs. The good/evil dichotomy is arbitrary and makes everyone look stupid. It's about time it was disposed of. :But those same experts also cheerfully confess that most exploits :aren't all that exploitable, and that the security industry profits by :stirring up fear and frenzy. Like any industry, there are generally only a handful of people who comprehend the value of what it is they do and the services they provide. They are easy to spot because they tend to be filthy rich and lying on a beach somewhere, having cashed out and split before these discussions even start. :Experts also wonder whether they and their colleagues devote entirely :too much time to pouring over program code looking for possible :exploits. Does anyone else find it conspicuous that the companies who make all the money don't bother spending time finding new bugs? The reason is, while it may be very useful for advancing our understanding of how these bugs evolve, it does very little to sell more widgets. If I had $80k to drum up new business, and investors breathing down my neck, I wouldn't spend it on having 0-day exploit code written, given the goal at hand and possible alternative solutions. Hackers write code and find bugs. It's a discourse. Companies sell software and services. It's a business. The balance of the two makes for a sustainable and reasonably cool place to work. However, there are sacrifices made to maintain that balance, and when investment is involved, and push comes to shove, we all know who wins. The industry needs to grow up and recognize where its value is, and the discourse needs to mature and become a valuable critical perspective from which to analyze business and other (more interesting) systems. Hackers are alot like engineers, but with imaginations. You'd think that would be the formula for success, but it's really just a way to make people think you are an unremarkable engineer, or too technical to be creative. They can always find duller engineers and flakier creative types. This is kind of ideal, because that leaves us content to use this newfound extra time to just keep on hacking. ;) Cheers, -- batz
Powered by blists - more mailing lists