[ISN] RFP statement

From: InfoSec News (isnat_private)
Date: Tue May 20 2003 - 00:18:20 PDT

  • Next message: InfoSec News: "[ISN] A Tempting Offer for Russian Pair"

    http://www.wiretrip.net/rfp/txt/evolution.txt
    
    Times change.  People change.  Or more correctly, people evolve.  
    Their needs become different and their desires shift focus.  What was
    a demand yesterday is useless excess today; what was leading edge then
    is ancient technology now.
    
    And the security industry is no different.
    
    The security industry is a much different place than when I entered it
    (although I must give my proper respects to those who were in the
    scene way before I ever came around).  My reasons for being back then
    were very clear to me: open and free research--education of myself and
    others.  At the time many others followed the same principle, and all
    was well.
    
    Of course, (in)security flourished, and that means commercialization
    was inevitable.  Granted, I don't believe your general commercial
    security service offering is that bad.  But that's only step number
    one of commercialization.  Once market viability was proven, then came
    the rush to create commodities.  Security is now sold in a red box
    with a support contract.  And this is where things went downhill.
    
    I'm not the only one who feels this way.  A large part of the Anti-Sec
    movement was based on the same cause; we just differ on the response.
    
    Granted it's naive to think things will, or even can, change back to
    the way they were.  I think that's the oversight many have.  We can't
    go back.  There's very few instances of retrograde in
    evolution--particularly retrograde sparked/lead by a small group.  
    And even the entire security industry would amount of a small group in
    the grand scheme of things.
    
    A good example is the meaning of the term 'hacker'.  At one time it
    meant 'tinkerer', or someone who had an exceptional specialized skill
    or understanding of a subject.  The subject didn't have to be
    security-related, or even computer-related.
    
    Nowadays the meaning of the word is different.  It imbibes criminal
    connotations, largely due to media misuse.  Worse, we can't change the
    fact that people have accepted the new meaning.  But I still naively
    clung to the old meaning, and evangelized it's proper use as much as I
    could.  Now I realize I was in err.  No one can unbrainwash the world
    into reclaiming the original meaning of the term hacker.  It's a dying
    battle; the damage has been done.  The old meaning of the term is
    extinct.
    
    Except 'hacker' is not the only thing which has changed.  In
    particular, the reasons and drives in the security research community
    have changed--not so much for the better or worse, but rather 'for the
    different'.
    
    What was free and open research is now profit, marketing, and illicit.  
    Vendors stepped in and took control, and the government started
    providing oversight.  Some will say the Wild West was tamed.  I say
    the Free West was put under lock and key.
    
    Well, 'lock and key' is definately extreme.  It's as oppressive as you
    let it be, but it's hard to not feel the onerousness with all the
    security-related legalities that have crept up.  Do the DMCA et. al.  
    really retard the 'bad guys'?  After all, the DMCA is just a law, and
    the bad guys, by definition, are not law followers.  They could care
    less.
    
    But it does impact the 'good guys', particularly those doing security
    research, like myself.  It's things like the DMCA and the possibility
    of a misguided lawsuit at every turn which make me happy that, to this
    day, I have stayed behind my nym, as flimsy as a shield it actually
    is.
    
    Anyways, the security industry has transgressed the parameters in
    which I chose to operate.  Since the beginning I have always said that
    I am doing what I do because I like it--it is *fun*.  Well, it was
    fun.  But it's not anymore.
    
    So now I'm left with the choice of leaving the security industry
    entirely, or adjusting my expectations to better fit to today's
    snapshot of security.
    
    This leads to the refactoring.  I've decided to set new parameters for
    myself and how I interoperate with the rest of the security industry.  
    My wiretrip website is one obvious change.  There's enough computer
    security sites and blogs on the Internet that the world doesn't need
    another--nor do I have any intention of doing what everyone else is
    doing, without providing any significant unique value.  Therefore I
    consolodated and reduced the website to the bare essentials.  
    Superfluous material (for the sake of superfluous material) is no
    more.
    
    Whisker is also no more.  The demands for technical support, and the
    requirements for keeping it updated, far outweigh the benefits of
    continued development.  I can't compete with the commercial scanner
    vendors who have funds to contribute to development.  I also can't
    compete with large projects which have many hands to help maintain
    code bases.  This doesn't even take into factor the general futility
    of CGI scanning in this day in age.  So it's done.
    
    Also done are my speaking engagements.  I don't plan on answering any
    more CFPs or accepting any more invitations.  I do not have anything
    left to speak about, nor anything I wish to speak of that would
    benefit anyone other than curious researchers.  I'm going to enjoy
    being in the crowd for once.
    
    I've had a lot of good moments in the past few years in this industry,
    and I'm sure there's still a few more to be had.  I will still be
    around, my research will still continue, and development of libwhisker
    will still happen.  But the days of free security research for the
    sake of free security research are numbered, if not completely over
    already.
    
    Don't lose sight of security.  Security is a state of being, not a
    state of budget.  He with the most firewalls still does not win.  Put
    down that honeypot and keep up to date on your patches.  Demand better
    security from vendors and hold them responsible.  Use what you have,
    and make sure you know how to use it properly and effectively.
    
    And above all else, don't abuse or take for granted sources of help
    and information.  Without them, you might find yourself lost or
    inconvenienced.
    
    - rfp
    May, 2003
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue May 20 2003 - 02:12:14 PDT