RFP statement

[InfoSec News <isn () c4i org>]

http://www.wiretrip.net/rfp/txt/evolution.txt

Times change.  People change.  Or more correctly, people evolve.  
Their needs become different and their desires shift focus.  What was
a demand yesterday is useless excess today; what was leading edge then
is ancient technology now.

And the security industry is no different.

The security industry is a much different place than when I entered it
(although I must give my proper respects to those who were in the
scene way before I ever came around).  My reasons for being back then
were very clear to me: open and free research--education of myself and
others.  At the time many others followed the same principle, and all
was well.

Of course, (in)security flourished, and that means commercialization
was inevitable.  Granted, I don't believe your general commercial
security service offering is that bad.  But that's only step number
one of commercialization.  Once market viability was proven, then came
the rush to create commodities.  Security is now sold in a red box
with a support contract.  And this is where things went downhill.

I'm not the only one who feels this way.  A large part of the Anti-Sec
movement was based on the same cause; we just differ on the response.

Granted it's naive to think things will, or even can, change back to
the way they were.  I think that's the oversight many have.  We can't
go back.  There's very few instances of retrograde in
evolution--particularly retrograde sparked/lead by a small group.  
And even the entire security industry would amount of a small group in
the grand scheme of things.

A good example is the meaning of the term 'hacker'.  At one time it
meant 'tinkerer', or someone who had an exceptional specialized skill
or understanding of a subject.  The subject didn't have to be
security-related, or even computer-related.

Nowadays the meaning of the word is different.  It imbibes criminal
connotations, largely due to media misuse.  Worse, we can't change the
fact that people have accepted the new meaning.  But I still naively
clung to the old meaning, and evangelized it's proper use as much as I
could.  Now I realize I was in err.  No one can unbrainwash the world
into reclaiming the original meaning of the term hacker.  It's a dying
battle; the damage has been done.  The old meaning of the term is
extinct.

Except 'hacker' is not the only thing which has changed.  In
particular, the reasons and drives in the security research community
have changed--not so much for the better or worse, but rather 'for the
different'.

What was free and open research is now profit, marketing, and illicit.  
Vendors stepped in and took control, and the government started
providing oversight.  Some will say the Wild West was tamed.  I say
the Free West was put under lock and key.

Well, 'lock and key' is definately extreme.  It's as oppressive as you
let it be, but it's hard to not feel the onerousness with all the
security-related legalities that have crept up.  Do the DMCA et. al.  
really retard the 'bad guys'?  After all, the DMCA is just a law, and
the bad guys, by definition, are not law followers.  They could care
less.

But it does impact the 'good guys', particularly those doing security
research, like myself.  It's things like the DMCA and the possibility
of a misguided lawsuit at every turn which make me happy that, to this
day, I have stayed behind my nym, as flimsy as a shield it actually
is.

Anyways, the security industry has transgressed the parameters in
which I chose to operate.  Since the beginning I have always said that
I am doing what I do because I like it--it is *fun*.  Well, it was
fun.  But it's not anymore.

So now I'm left with the choice of leaving the security industry
entirely, or adjusting my expectations to better fit to today's
snapshot of security.

This leads to the refactoring.  I've decided to set new parameters for
myself and how I interoperate with the rest of the security industry.  
My wiretrip website is one obvious change.  There's enough computer
security sites and blogs on the Internet that the world doesn't need
another--nor do I have any intention of doing what everyone else is
doing, without providing any significant unique value.  Therefore I
consolodated and reduced the website to the bare essentials.  
Superfluous material (for the sake of superfluous material) is no
more.

Whisker is also no more.  The demands for technical support, and the
requirements for keeping it updated, far outweigh the benefits of
continued development.  I can't compete with the commercial scanner
vendors who have funds to contribute to development.  I also can't
compete with large projects which have many hands to help maintain
code bases.  This doesn't even take into factor the general futility
of CGI scanning in this day in age.  So it's done.

Also done are my speaking engagements.  I don't plan on answering any
more CFPs or accepting any more invitations.  I do not have anything
left to speak about, nor anything I wish to speak of that would
benefit anyone other than curious researchers.  I'm going to enjoy
being in the crowd for once.

I've had a lot of good moments in the past few years in this industry,
and I'm sure there's still a few more to be had.  I will still be
around, my research will still continue, and development of libwhisker
will still happen.  But the days of free security research for the
sake of free security research are numbered, if not completely over
already.

Don't lose sight of security.  Security is a state of being, not a
state of budget.  He with the most firewalls still does not win.  Put
down that honeypot and keep up to date on your patches.  Demand better
security from vendors and hold them responsible.  Use what you have,
and make sure you know how to use it properly and effectively.

And above all else, don't abuse or take for granted sources of help
and information.  Without them, you might find yourself lost or
inconvenienced.

- rfp
May, 2003



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.