lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 19 Jul 2008 19:27:16 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Torvalds attacks IT industry 'security circus'

The maker of Linux was right,

"In an e-mail to the Linux kernel developer mailing list, Torvalds
said a section of the security industry was dedicated to finding bugs
in software only to publicize their findings and gain notoriety."

http://news.cnet.com/Torvalds-attacks-IT-industry-security-circus/2100-1007_3-6243900.html

We've got to stop doing an HD Moore to make a name for ourselves and
release vulnerabilities for the right reason, not to become a cyber
security rock star!!!

The security industry is a circus, its a joke what its turned into,
its not about security anymore its a media circus, with over hype and
over drive.

Let's cut away with the elitism and become normal people again who
aren't pumped up on steroids everyday to become famous.

The media are to blame, the Robert Lemos's and the others, they write
shit all the time just to make their companies ad click money, they
don't really care what's written as long as its security related they
don't care.

As little research as possible and the most amount of over steer to
make the security industry sound more important and exciting than it
is.

Security, its a dull field to be in, once you know it all you really
do know it all. Its a boring sport being a security professional.

That's why when some new disclosure comes along, we make a big deal of
it, to give us some excitement in your boring life.

This security industry is driven by the media to give it free
advertising and to drive up profits... the care about security takes
second shelf... the ad click and egoism comes first.

Go look at the web based archives of the less-busy mailing lists on
Securityfocus, its a rat run of security conference spam when the
subject is supposed to be on security, thats what we've turned into, a
shaft of advertising mecca....In security we get to advertise for
free, in security we don't need to buy banner ads. In security we can
charge thousands of pounds a ticket to watch a nerd mumble in a voice
which only reflects the persons social isolation from the world and
the true life style of the geek, a sad lonley pisser, sitting in his
own urine and coding up exploit code to give his sad existence more
self worth. Fresh air doesn't exist in nerd land, only the recycled
air of our own farts and bad breath, at weekends we don't wash, and on
Monday your co-workers notice part of your beard you forgot to shave,
and you are wearing the same clothes you did last week and everyweek.
Do I sound bitter, its because I probably am.

We need a shake a good long shake, take hold of yourselves and see
what you've turned into, is this what we want to be a hyped up media
circus of wombats?

The security conference spam runs... let's outlaw that shit.

Month of browser bugs and Metasploit framework... let's trash that.

Dan Kaminsky... the man who changed internet security...Cnet staff,
let's scrap headlines like that.

The Pwnie awards & not letting Dan Kaminsky be nominated for most over
hyped bug, let's add him and every mother fucker in the industry as a
nomination, we're all over hyped and i'm sick of it.

And for next years Pwnie awards, let's add a category for most
illegally spammed security conference and most over hyped security
conference, because they all are.

Buy your banner ads and get yourself off the mailing lists now and
forever in the future.

Stop advertising your security conferences through security
researchers and asking them to post the vulnerability a month before
the damn conference, we're not stupid we see through you. Yes, you the
leaders of the security conferences and the industry, the ones using
security researchers to make a lot of cash and make you dirty rich so
you can sit on a yacht for the rest of the year with chicks by your
side drinking champagne.

The leaders of the industry are exploiting the media and the security
researchers, they're in it for the money to tool up revenue, they
couldn't care less about us and cyber security... they just want to
become filthy rich.

Its people like you who are screwing it up for the future generation,
there won't be a security underground left in 10 years time, because
the industry will have it grave yarded and scared the underground away
from existence.

People are scared the law will change, the government can show you the
industry money makers whose really in charge, we can make certain
things illegal for security researchers to do, and tighten up on how
much money you can make and exploit security researchers for.

In the sex trade there is human trafficking, in the security industry
there is the exploitation & trafficking of security researchers. So
what is the security industry making you researchers? A whore to the
cause of making money and not really caring about you or actual
security.

I've got one thing to say to security researchers... stop being
exploited by these people and go independent, don't goto a security
conference, stand out in a market square in the middle of a town, and
invite anyone along who wants to come. Ticketless, free and open. It
will kill the damn security conferences, the rich fucks who are
exploiting you. Its time to take control. If the security conference
leaders have no security researchers or new techniques to come to
their conferences then they will take note and know whose really in
charge of things.

Boycott security conferences, if you want to speak in public, do it in
a random town market square free of charge...invite everyone from the
mailing lists to come, stand up on a statue and tell the world about
your researched vulnerabilities, but don't feel you need to attend a
damn security conference... because you're being exploited and taken
advantage of by the big tom cats of the industry!!!

The security conference tom cats and the money making security
industry will die over night, and while thats a bad thing for the
industry leaders, it brings back control to the security researcher
and the underground as a whole.

We can still save ourselves from being a security circus and being
exploited, if we boycott the security conferences... im talking to you
keynote speakers like Dan Kaminsky.

If you had announced you were going to give your talk at a random town
square free of charge and invited everyone who wanted to be there to
come on the mailing lists you would have gotten a lot more respect. To
base your disclosure and speech around a money oriented security
conference takes away credibility for your cause, and takes away power
and control away from the ever corroding underground scene.

Kill off security conferences... the media circus... the security
circus that the maker of Linux is talking about.

Give a bug merit where its due and no merit where it isn't...

I stand shoulder to shoulder with Linus Torvalds in condemning the
direction the security scene is going in and so should everyone.

All the best,

n3td3v

http://n3td3v.googlepages.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ