Industry check

     Industry check                      .-'-.              //o\  _\/_
                                    --  /     \  --           |   /o\\
  ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
     We don't talk to police                                        |
       We don't make a peace bond

The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS
poisoning will destroy life as we know it. You have Matasano harvesting talent
and critiquing everyone, and then Ptacek can only announce the release of....a
graphical firewall management client.  There's kingcope killing bugs and
dropping weaponized exploits while making no other contribution except putting
a smile on the face of kiddies. There's iDefense and their competitors selling
exploits and only doing research in how to make more exploits. There's Jeff
Moss running a conference under the hideous misnomer "Blackhat Briefings" where
the same researchers search for glory and present the same shit year after
year. There are people who just live press release by press release. And on top
of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
cares about virtualization one year and iPhones the next, every year forgetting
the lessons it should have picked up in the last.

If you are just someone looking to pay a fair price to not get owned, you find
out quickly that none of these people exist to help you.  Very few people in
this industry have their income model based around actually making you more
secure. At best, some of them have it based around convincing you that you are
better off.
 
The very concept of "penetration testing" is fundamentally flawed.  The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box.  So if a site on a shared host is being tested, just
because site1.com is "secure" that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks.  The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything.  A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.

Those things should all be very obvious, but whitehats still make the mistake
of discounting them. Look at Mitnick. Every time he gets owned he blames his
host or his DNS provider. If he's getting owned through them, that's still his
fault. Choosing a host is a security decision, it's just like choosing a
password. If you choose a weak one you expose yourself.  It's still your fault.

It's the same with outsourcing the development of your security-critical code.
Mitnick could get someone else to make him a flashy website, and then blame
them when it is full of file include vulnerabilities. People do this all the
time, indirectly, by using ridiculous CMS or blog software. As an easy example,
look at Wordpress. Even easier, look at Wordpress in 2007.  Horrid. When
considering Wordpress, a blackhat starts reading the PHP, shudders and giggles,
and then laughs at the idea of ever using it on one of their servers. A
whitehat never gets that far apparently, they just install it and get owned. I
simply fail to see how leading security researchers run all kinds of code that
is blatantly dangerous. Are they really that bad at reading code? Or do they
just not care much if their passwords end up on Full Disclosure? If it's the
second option, why is that?  Why can these people make a living selling
security when they make such bad choices? How do they maintain legitimacy? They
take less responsibility for getting owned than do the people who they sell
services to. 

There's a popular term for people who don't read code. We call them script
kiddies.

You cannot outsource blame. You HAVE to take responsibility for your mistakes,
whether they are mistakes in your code, mistakes in code you are using,
mistakes by your host, or mistakes in who you trust. These are all security
choices. Learn to control this shit. Learn how to read code. A lot of the time
it only takes a very shallow audit to realise that the code is crap and is
bound to have bugs. In a smarter world, security professionals get paid to stop
people from getting owned. End of. These is no limit to the scope of an audit.

Are you professional types really this out of touch? I see all these papers
about how to protect yourself from these super-fucking-advanced techniques and
exploits that very few people can actually develop, and most hackers will NEVER
USE. It's the simple stuff that works now, and will continue to work years into
the future. Not only is it way easier to dev for simple mistakes, but they are
easier to find and are more plentiful.
 
The whole concept of full-disclosure has backfired. It will never work. It's
some slashdot hippie pipe dream. Even you dumbass corporate types should
recognize this. If you're constantly giving away all the vulnerabilites you
find, for *FREE* mind you (and what other industry does that?), and the
vulnerabilites get harder and harder to find and exploit, it will get harder
and harder for you all to do your "job".  Frankly, I'm surprised that the
non-disclosure movement didn't start in the security industry in the first
place. In a way it did, by default.  With full-disclosure, the security
industry is all about show and gloat, it is not about fixing anything. A lot of
bugs have been fixed from it, but it comes with the price of an industry that
likes to cripple itself. Projects run by teams of trained monkeys are always
eager to add more bugs to replace those that have been fixed.

We hate the industry because it is full of shit. There are so many trolls like
Kaminsky who just desperately search for anything new, to get attention.  So
many talentless buffoons trying to scam the planet. A lot of the actual talent
out there is severely misapplied. It's an industry tied to news and not
results, because very few of you can even attain results. When you can't, who's
the wiser? Your customers can hardly tell if you have really made them more
secure or not. Sometimes there are superficial benefits, sometimes there
aren't. How do you convince the customer that they are more ZF0-safe than
before, if they were never targetted and probably never will be? And you all
lack the legitimacy to really do the job you should anyways. We can only expose
so many frauds, the rest of you can pretend you have changed something.

Very few whitehats actually go out there and provide a service where they make
people more secure. Not just for a day or a month. Are you genuinely fixing the
underlying design and logic flaws that generate security problems for your
clients or customers? If you actually clean up every exposed security flaw they
have, will they still be "secure" in six months or a year?

We could go on. Just in general, the industry is failing. Flat out failing. 

You cannot even protect yourselves.

Comments