Sergio, "Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves."
I really take offense to your comment. I am seeing malware out in the field that is based on work by so-called noble "security researchers". My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically "yes". I agree with Gary and from knowing Gary from all of his posts and podcasts, this is not a new stance from him. I am in complete agreement with him and always have been. And while I am here, the "Builders vs. Breakers" term should be attributed to Mark Curphey. You can probably still find his original post. The next question is: Can we ever prevent people from being "security researchers" or "white hats" or "black hats" or "bad guys"? No. But I think we have to start to take the lipstick off of the pigs and recognize what it is. It's called "Blackhat", isn't it? Very unfortunately, there is more glamour - and probably more reward - in breaking stuff. What I hate is that "security researchers" and the "white hats" try to present themselves as noble and as the good guys. It's f*cking bullsh*t and a total scam. Ten years later for me and the state of infosec is much worse. There is also a nasty faction of infosec that will never want to solve problems which will put themselves out of work. Yep, I am throwing down that gauntlet FWIW. Stephen On Wed, Aug 31, 2011 at 1:01 PM, Sergio 'shadown' Alvarez <shad...@gmail.com> wrote: > Hi gem, > > I've read your article to see what direction you were willing to take, before > jumping into the conversation. Your post was exactly what I thought you were > heading to. > > I disagree with your thought for many reasons. > > But first I would like to use proper terms so that we don't misuse some > vocabulary: > > You said: """Software security should be a balanced approach of offense and > defense (white hat and black hat, if you will)""" > > Whitehat: reports what he/she has found. Network vulenerabilities, software > security flaws, flawed crypto, design flaws, or whatever it is that the > individual found it was broken or wrong. > > Blackhat: doesn't report what he/she found, because she/he want to keep it > that way. > > Of course there are a lot of grays out there too. > > Defense is…well... defense. > > To design and build proper software and hardware there are a lot of > conferences out there, as well as trainings and a huge amount of literature. > There are very good books when it comes to secure software development. > > Every year what is presented, in the best security conferences, are new > techniques that developers need to be aware of in order to build secure > products. Most of the presentations talk about things that were wrongly > designed and/or corner-cases which were not considered. > > There are also a lot of tools and libraries which help development teams to > do things right, specially libraries and templates like Microsoft Safeint as > well as the safe APIs, which prevent developers from shooting themselves. > They just need to use them. There are also managed languages, APIs to handle > SQL securely, etc. It is just that a lot of developers don't use what is > available to them. > > Blackhat is great as it is now, there are talks about new defense > technologies from time to time too. Having more talks about defense would be > use, in my opinion, to sale products than anything else. I don't believe it > would do any good to Blackhat. > > """I am not opposed to breaking stuff (see "Exploiting Software" from 2004), > but I am worried about an overemphasis on breaking stuff.""" > > Blackhat IS about breaking stuff, the vendors area offers defense products > and services to improve your security. For building stuff (as in development) > there are other conferences out there. People go to Blackhat to be aware of > what things might go wrong in order to protect better themselves. And even > then many good talks overlap unfortunately. > > Regards, > Sergio > > On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote: > >> hi sc-l, >> >> I went to Blackhat for the first time ever this year (even though I am >> basically allergic to Las Vegas), and it got me started thinking about >> building things properly versus breaking things in our field. Blackhat was >> mostly about breaking stuff of course. I am not opposed to breaking stuff >> (see "Exploiting Software" from 2004), but I am worried about an >> overemphasis on breaking stuff. >> >> After a quick and dirty blog entry on the subject >> <http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, >> I sat down and wrote a better article about it: >> >> Software [In]security: Balancing All the Breaking with some Building >> http://www.informit.com/articles/article.aspx?p=1750195 >> >> I've also had a chat with Adam Shostack (a member of the newly formed >> Blackhat Advisors) about the possibility of adding some building content to >> Blackhat. Go Adam! >> >> Do you agree that Blackhat could do with some building content?? >> >> gem >> >> company www.cigital.com >> podcast www.cigital.com/silverbullet >> blog www.cigital.com/justoceleague >> book www.swsec.com >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >> _______________________________________________ > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > -- http://www.linkedin.com/in/stephencraigevans _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
