Re: [ISN] Simple Nomad's DefCon 11 Rant

From: InfoSec News (isnat_private)
Date: Tue Aug 12 2003 - 02:26:24 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - August 11th 2003"

    Forwarded from: ndex <ndexat_private>
    
    First of all, you can make a good living in Quality Assurance.  
    Second, if more time, money and effort went into quality assurance we
    might see an improvement in the software that we, as professionals in
    computer industry, are forced to deal with on a daily basis.  
    Finally, the only real difference between hacking and QA is that a QA
    engineer generally gets compensated for finding flaws in a product
    before the general public (and our hacker kindred) have the
    opportunity to.
    
    I'm by no means suggesting that hacking should be recharacterized as
    QA. The fact is that hackers have the advantage over QA engineers of
    not knowing the products as intimately as engineers who work with it
    every day.  Flaws that QA engineers work around or take for granted,
    when shipped to the consumer, become vulnerabilities that any halfway
    decent hacker can exploit.
    
    In closing let me say that I've worked with "pimply faced teenage"
    engineers who have surpassed in skill and professionalism their highly
    paid fat arrogant counterparts at <insert name of large software
    company>. I've also worked with "professional software engineers" who
    couldn't understand assembler or read a stack trace.  With every
    discipline you will find people falling into a spectrum of skill
    levels. The key is to have the discipline to continue to explore and
    improve your skills.
    
    Of the ~6,000 people who attended Defcon this year I'll venture that a
    good number have to work for a living.  Not everyone is fortunate to
    work in the security industry, some folks just need to pay the rent.
    We all make compromises.  I could understand if we saw an influx of
    marketing and sales reps at Defcon, but don't slag a entire discipline
    (QA) without a second thought.  The pimply face teenagers are going to
    have to pay their own bills someday and QA is a good way to hack and
    have a job at the same time.
    
    Barbara Godin <ndexat_private>
    -yeah yeah, I work in QA
    
    
    On Mon, 11 Aug 2003, InfoSec News wrote:
    
    > Forwarded from: Mark Bernard <mbernardat_private>
    >
    > Dear Associates,
    >
    > Hacking is just like anything else once its been going on for a
    > while its finally reached its apex and started to get a little
    > stagnate. Just ask yourself who has really stood out of the crowd
    > lately?
    >
    > After all the world hasn't simply stood still while a bunch of
    > pimple face teenagers learned how to write a script. Most of these
    > folks don't even truly understand what hacking is really about.
    > Instead they have become a bunch of QA testers, wow!
    >
    > Yes Hacking has finally been Americanized and looks like a huge
    > commercialized Disneyland. It is now going down the back side of the
    > apex and we are only seeing variations of already known attacks
    > nothing new.
    >
    > The good guys have caught up in both skill and capabilities. Sure
    > every once in a while some hacker will come along with a brilliant
    > idea, but those guys are far a few between. Anyone can create a DoD
    > that's amateurish. How many of these guys/gals could actually
    > penetrate a system or even get a sniff! Wake up guys!!
    >
    >
    > Regards,
    > Mark.
    >
    >
    >
    > ----- Original Message -----
    > From: "InfoSec News" <isnat_private>
    > To: <isnat_private>
    > Sent: Friday, August 08, 2003 3:00 AM
    > Subject: [ISN] Simple Nomad's DefCon 11 Rant
    >
    >
    > > http://www.nmrc.org/pub/report/sn-dc-2003.html
    > >
    > > Have you noticed the change? Do you remember where you were when
    > > you first felt the change? I am talking about the change in the
    > > security community, especially the underground community. Less
    > > trust. More control. Less truth. I'm not talking about society
    > > since 9-11, although most certainly looking at things like USA
    > > Patriot and DSEA one can certainly see less trust, more control,
    > > and less truth. I'm talking about the underground closing ranks.
    > > The emergence of Richard Thieme's third generation hackers.
    > >
    > > The holy trinity of hackers -- trust, control, and truth.
    > >
    > > Typically the purest form of knowledge -- the facts -- are what
    > > hackers refer to as truth. A wisp of falsehood or lie will cause a
    > > hacker to bristle. With the nature of hacking being to learn the
    > > true nature of something, the truth is an important commodity.
    > >
    > > Trusting a truth. An important item on the hacker checklist. Can a
    > > "truth" be trusted as really being true? Crawling through the
    > > ether, keeping enemies as friends, encountering the unknown, a
    > > hacker needs to know not only who to trust but what. And it is
    > > never a glass that is half empty or half full, it is a swirling
    > > and ever-changing fishbowl filled with truths and lies, all
    > > swimming together and influencing each other. Finding the truth
    > > needle in a haystack of disinformation -- the marching orders of
    > > the new millenium hacker.
    > >
    > > Hackers need to be able to not only understand the control
    > > mechanisms that surround a truth, and the nature of those
    > > controls, but to understand the responsibility that comes with
    > > exercising control over a truth. Also, knowing when and how you
    > > are being controlled and manipulated, be it by pervasive means or
    > > just the fact that you are aware your actions are being monitored.
    > > Having your actions monitored can influence your behavior
    > > substantially. Between TLA-driven Carnivore-styled systems to
    > > enemy hackers with dsniff to nosy ISP admins, the tilting game
    > > board has not just shifted the controls, but the mere threat of
    > > controls have changed hacker methods drastically and permanently.
    > >
    > > There are hackers -- white hat types -- that have removed code
    > > from their web pages simply because of the threats posed by such
    > > things as DMCA. Talk about Sun Tzu tactics -- many coders removed
    > > their work from the net without any laws being used against them.
    > > That's a serious control mechanism right there.
    > >
    > > The new millenium hacker has seen this landscape of unknown
    > > enemies in unknown numbers, circled the wagons, and lives a
    > > multi-layered life behind layered walls of security,
    > > disinformation, and distrust.
    > >
    > > Two years ago I gave a talk at DefCon 9 that was in my opinion the
    > > highpoint for Simple Nomad 1.0. I received a lot of positive
    > > feedback from this talk, mainly along the lines of agreement that
    > > society is heading for a suppressive human rights hell in a
    > > handbasket cleverly disguised with a transnational conglomerate
    > > cloaking device. It was a call to arms that things were going from
    > > bad to worse. After DefCon 9, September 11 happened, and all of my
    > > exaggerated claims -- as well as the claims of many others --
    > > began to happen. Claims of the coming neo-Hooverism began to usher
    > > forth starting with the passage of USA Patriot and followed by a
    > > series of Presidential directives and legislation currently in
    > > various stages -- some passed into law, some pending before a
    > > willing congress -- that seriously attacks the hacker and hacker
    > > culture.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 04:48:38 PDT