Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: nwonknu (nwonknu_at_fastmail.fm)
Date: Sat Nov 23 2002 - 00:50:10 CST
The blackhats assert that the security industry is evil, because they
don't offer 100% solutions.
"Look how smart I am! I figured out how to pocket the candy without
getting caught! You must be really stupid to even try!"
What they don't seem to realize is that security can never be 100%.
Inviolable security means total paralysis, just like Marcus Ranum's
perfect network firewall: a pair of scissors.
Security is about risk management. It is about putting controls in place,
and doing the risk analysis up front, so that you mitigate the effects of
an intrusion when it happens. It is about coming up with recovery plans,
for when things inevitably fail. It is about taking appropriate
safeguards for the worth of the data being protected.
Any lockpicker or safecracker can tell you this. No lock is 100% secure.
You have something important to protect, you buy a better lock. How can
avowed blackhats be so dumb as to assert that perfect security is an
attainable, or even reasonable goal? They want you to look the other way,
paralyzed by fear. Don't buy security products! Uh, right. It's all
obviously snake-oil, isn't it?
Of course, no corporate security professional is actually listening to
any of this inane pseudo-messianic blackhat "cleverer-than-thou"
propaganda anyway. They are doing their jobs, and doing them as best they
can. The awful truth is, some of the brightest exploit writers don't know
shit about security. Some of the best security people don't know shit
about writing exploits. Full disclosure was meant to narrow the gap, but
there is an agenda working against this.
So who's listening? Who's the intended audience for all these rants and
You. The hackers, proto-hackers, sysadmins, and young geniuses interested
in computer security. Maybe as a hobby, maybe as a job.
Think about it for a second. Why don't they want you to release your
code? Why don't they want you to do your job? Why don't they want you to
"sell out" and become a security professional? Why do they want to do
their bidding for them? Why are they "enlisting" people for help? If they
were really blackhats, why aren't they taking action themselves, instead
of taking credit for the actions of others? Is is really just adolescent
scene posturing and status climbing they're after, or something else
Think about the people you think you know online. This is the only hint I
will give you. Think about the timing of all of this. Think about the new
Office of Homeland Security. Think about the $200M+ SAIC contract with
the NSA. Think about the failure of the NIPC, and the political reasons
(and I mean real politics, not this phony blackhat/whitehat stuff) behind
shutting down full disclosure, consolidating cliques, and inciting new
activity in the underground. Do real blackhats really act this way? Think
about why the original progenitors of all this have already left. Think
about why certain people have been fired, or sent away, or have been
behaving the way they are to attract attention, your friendship, and your
trust. Think about why and how certain people have been busted, or have
disappeared silently. Think about what they have told others.
The playing field is level now. I have spoken my peace. Beware.
P.S. Don't trust hushmail. Think about why it requires Java, and isn't
-- http://fastmail.fm - Accessible with your email software or over the web _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html