The sides of security. I enjoy the all the conversation over this list, although a majority of the points expressed by sockz and democow are valid and I agree to most of what they say I have to say that the quality of their arguments are low. I think this is having a negitive effect on the true points which they are trying to express. Put some well thought out arguments on why/how the sec.industry should change and you will be much more productive. Marcus ranum has an excellent website full of great stuff - http://ranum.com/pubs/index.shtml (I also use this site as an example of someone keeping the sec industry in check while not being blackhat). Another great resource with very well thought out arguments on discloser/sec.industry would be the old anti.security.is site and message board. Avaliable at http://web.archive.org/web/20010923032408/http://anti.security.is/ (down atm).
Anyways, the point I will try to make in this post is that of how the topic of computer security has became so large. I am sure with some good research, thinking, and detication someone could come up with a very insiteful paper on this. What draws people to computer security? This is a broad question, but basicly the way I see it is that computer security is an exciting feild, not many will deny this. Some see security as the most cool computer subject. Some see it as the most fun. Some see it as the most challenging. Some see it as the most profitable. The ones who see it as cool usually are seeking fame. Although I feel it is ok to take credit for things you do, one must put a limit on how far they are willing to sell out, damage systems/people, or just do unethical things. Once you start releasing exploits and vuln info to the public (or wide range of friends/underground) you must relise the effects this has on thousands of people worldwide. Is it worth giving people the power to cause millions of dollars of damage just to see your name in lights and have a few people think you are cool? People who see security as fun or challenging are fine, aslong as this fun stays in check. rm -rf / might be fun for some. Others writting a firewall might be fun. This is a personal decision, and others should not judge. Just because you do not agree with someone else's ethics does not mean you should try to force yours apon them. State you opinions and perhaps they will change their mind. Everyone evolves. I used to be full-discloser, after information, time, and thought I have changed to non-discloser. Perhaps one day I will change again (maybe "responcible" discloser). Basicly, let people do what they wish and you the same. <phreck> ive got an idea. we should all just do whatever the fuck we want. <zilvio> fully disclose <zilvio> if one desires The people who truely desire any given subject will always dislike the shallow ones who are in it soley for the money. There will always be backstabbers, unethical, and sometimes downright bad people in business. It is the nature of this society at the current time. Keeping these people in check is hard to do. Should we be mad that some are cashing in on something which we do for the love of it? Sometimes I think yes, people are stealing ideas from other, spreading exploits, spamming their company name, and using other unethical methods to gain (force) employment. Othertimes I think back to "all just do whatever the fuck we want." and really don't give a shit if these people are making money, I'll just keep doing what I like to do and will put in measures so that they cannot profit (as much) off of me. Suggestions to prevent people from getting into security: Cool/Fame - Take away full discloser. Make fun of them. Make it commone knowledge that those who do not disclose can/are more cool than those who do. Suggest other ways to be cool, to get famous, or to prove how smart they are instead of whoring code and vuln info. Fun/Challenging - Take away the fun of it. If they are blackhat lock down networks or leave them so open it takes away the challenge of getting into them. Give them no reason to attack you - flaming people who are willing to cause harm is usually not a great idea. If they are whitehat then don't attack anything and they will not have fun protecting it. I suggest the best thing for people who really dislike the security industry to do is to just quit security all together. There is no way to damage them while you are attacking or defending computers. Espechially if you are attacking, this is creating business for them. Often times people find no fun in something no one else cares about. If you ignore people sooner or later they will generally quit doing what they are doing. If you give things to people without putting up a challenge it is often no fun. Part of the fun is the reward from proving that you could do something (get into a computer or protect a computer). Money - Don't attack computers, less computer attacks means less employment. Don't give information out. Often times security information can be sold or used to gain employment or money. Don't get others into security, many people start off doing security for other reasons then switch to the money reason later on. How do you force sec.industry to loose money? Destory the market. Don't give them anything, no attacks, no info, absolutely nothing to sell (they will still sell, but not as much). The fear PHC, ~el8 and such groups put into companies is actually helping sec.industry. If it was up to them I think there would be hundreds of publicly known groups going wild on systems and proving that no one is safe from an attack. This helps sell their service very well. I would also like to note a few very serious questions everyone on this list should spend a bit of time thinking about: What are my true motives for being into computer security? Is my goal to help or hurt computer security? Is what I am doing helping achieve my goal? -- This message has been sent via an anonymous mail relay at www.no-id.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html