Re: Simple Nomad's DefCon 11 Rant

[InfoSec News <isn () c4i org>]

Forwarded from: ndex <ndex () flatlined c2security org>

First of all, you can make a good living in Quality Assurance.  
Second, if more time, money and effort went into quality assurance we
might see an improvement in the software that we, as professionals in
computer industry, are forced to deal with on a daily basis.  
Finally, the only real difference between hacking and QA is that a QA
engineer generally gets compensated for finding flaws in a product
before the general public (and our hacker kindred) have the
opportunity to.

I'm by no means suggesting that hacking should be recharacterized as
QA. The fact is that hackers have the advantage over QA engineers of
not knowing the products as intimately as engineers who work with it
every day.  Flaws that QA engineers work around or take for granted,
when shipped to the consumer, become vulnerabilities that any halfway
decent hacker can exploit.

In closing let me say that I've worked with "pimply faced teenage"
engineers who have surpassed in skill and professionalism their highly
paid fat arrogant counterparts at <insert name of large software
company>. I've also worked with "professional software engineers" who
couldn't understand assembler or read a stack trace.  With every
discipline you will find people falling into a spectrum of skill
levels. The key is to have the discipline to continue to explore and
improve your skills.

Of the ~6,000 people who attended Defcon this year I'll venture that a
good number have to work for a living.  Not everyone is fortunate to
work in the security industry, some folks just need to pay the rent.
We all make compromises.  I could understand if we saw an influx of
marketing and sales reps at Defcon, but don't slag a entire discipline
(QA) without a second thought.  The pimply face teenagers are going to
have to pay their own bills someday and QA is a good way to hack and
have a job at the same time.

Barbara Godin <ndex () c2security org>
-yeah yeah, I work in QA


On Mon, 11 Aug 2003, InfoSec News wrote:

> Forwarded from: Mark Bernard <mbernard () nbnet nb ca>
>
> Dear Associates,
>
> Hacking is just like anything else once its been going on for a
> while its finally reached its apex and started to get a little
> stagnate. Just ask yourself who has really stood out of the crowd
> lately?
>
> After all the world hasn't simply stood still while a bunch of
> pimple face teenagers learned how to write a script. Most of these
> folks don't even truly understand what hacking is really about.
> Instead they have become a bunch of QA testers, wow!
>
> Yes Hacking has finally been Americanized and looks like a huge
> commercialized Disneyland. It is now going down the back side of the
> apex and we are only seeing variations of already known attacks
> nothing new.
>
> The good guys have caught up in both skill and capabilities. Sure
> every once in a while some hacker will come along with a brilliant
> idea, but those guys are far a few between. Anyone can create a DoD
> that's amateurish. How many of these guys/gals could actually
> penetrate a system or even get a sniff! Wake up guys!!
>
>
> Regards,
> Mark.
>
>
>
> ----- Original Message -----
> From: "InfoSec News" <isn () c4i org>
> To: <isn () attrition org>
> Sent: Friday, August 08, 2003 3:00 AM
> Subject: [ISN] Simple Nomad's DefCon 11 Rant
>
>
> > http://www.nmrc.org/pub/report/sn-dc-2003.html
> >
> > Have you noticed the change? Do you remember where you were when
> > you first felt the change? I am talking about the change in the
> > security community, especially the underground community. Less
> > trust. More control. Less truth. I'm not talking about society
> > since 9-11, although most certainly looking at things like USA
> > Patriot and DSEA one can certainly see less trust, more control,
> > and less truth. I'm talking about the underground closing ranks.
> > The emergence of Richard Thieme's third generation hackers.
> >
> > The holy trinity of hackers -- trust, control, and truth.
> >
> > Typically the purest form of knowledge -- the facts -- are what
> > hackers refer to as truth. A wisp of falsehood or lie will cause a
> > hacker to bristle. With the nature of hacking being to learn the
> > true nature of something, the truth is an important commodity.
> >
> > Trusting a truth. An important item on the hacker checklist. Can a
> > "truth" be trusted as really being true? Crawling through the
> > ether, keeping enemies as friends, encountering the unknown, a
> > hacker needs to know not only who to trust but what. And it is
> > never a glass that is half empty or half full, it is a swirling
> > and ever-changing fishbowl filled with truths and lies, all
> > swimming together and influencing each other. Finding the truth
> > needle in a haystack of disinformation -- the marching orders of
> > the new millenium hacker.
> >
> > Hackers need to be able to not only understand the control
> > mechanisms that surround a truth, and the nature of those
> > controls, but to understand the responsibility that comes with
> > exercising control over a truth. Also, knowing when and how you
> > are being controlled and manipulated, be it by pervasive means or
> > just the fact that you are aware your actions are being monitored.
> > Having your actions monitored can influence your behavior
> > substantially. Between TLA-driven Carnivore-styled systems to
> > enemy hackers with dsniff to nosy ISP admins, the tilting game
> > board has not just shifted the controls, but the mere threat of
> > controls have changed hacker methods drastically and permanently.
> >
> > There are hackers -- white hat types -- that have removed code
> > from their web pages simply because of the threats posed by such
> > things as DMCA. Talk about Sun Tzu tactics -- many coders removed
> > their work from the net without any laws being used against them.
> > That's a serious control mechanism right there.
> >
> > The new millenium hacker has seen this landscape of unknown
> > enemies in unknown numbers, circled the wagons, and lives a
> > multi-layered life behind layered walls of security,
> > disinformation, and distrust.
> >
> > Two years ago I gave a talk at DefCon 9 that was in my opinion the
> > highpoint for Simple Nomad 1.0. I received a lot of positive
> > feedback from this talk, mainly along the lines of agreement that
> > society is heading for a suppressive human rights hell in a
> > handbasket cleverly disguised with a transnational conglomerate
> > cloaking device. It was a call to arms that things were going from
> > bad to worse. After DefCon 9, September 11 happened, and all of my
> > exaggerated claims -- as well as the claims of many others --
> > began to happen. Claims of the coming neo-Hooverism began to usher
> > forth starting with the passage of USA Patriot and followed by a
> > series of Presidential directives and legislation currently in
> > various stages -- some passed into law, some pending before a
> > willing congress -- that seriously attacks the hacker and hacker
> > culture.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.