Re: [fw-wiz] concerning ~el8 / project mayhem

From: Marcus J. Ranum (
Date: 08/17/02

To: "R. DuFresne" <>, "''" <>
From: "Marcus J. Ranum" <>
Date: Sat Aug 17 19:06:01 2002

R. DuFresne wrote:
>It seems that the whitehat community is under a new attack, putting fear
>into the souls of some reputed security experts, leaving them to now,
>rather then admonish these spoiled children, to rather brag them up and
>promote what some are referring to as their fine skillsets and tools.

It's not a new attack!!! This has been going on in many ways for
a long time.

There's really two things going on here... Both are caused by
professional insecurity in the hearts of the "reputed security
experts" Ron's referring to...

First off, there's the specialized knowledge of the hacker. I've
had this particular hook set pretty deep in me, professionally,
in the past. If you're a true white hat, you're not replete with
hacking technique and you're not the kind of guy who can whip out
a tool to crack into any website any time, or whatever. UNfortunately,
a lot of our customers in the security business have been conditioned
to expect reputable security professionals to have at least moderate
hacking skills. This is thanks to things like Hacking Exposed classes,
and the early well-marketed security/hacking cross-overs like Dan
and Wietse's SATAN, ISS, Nmap, etc., etc. I used to do audits and it
was a very very tough thing whenever a customer insisted that I
_demonstrate_ the presence of a vulnerability before they'd be
willing to fix it. (Oddly, I suspect bullet-proof vest makers don't
have that kind of problem with thier customers...) So you have to
either become a repository of hacking technique yourself, totally
steer clear of hacking technique, or have friends who have the
hacking knowledge who can step in every so often and back you up.
So, unfortunately, because our customers have been media-trained
and hacker-marketed to be stupid* many security professionals
are now in the situation where they feel they can be embarrassed
if their hacker buddies get pi*sed off at them and the well of
information runs dry. I managed to get over and around this problem
a long time ago by being extremely up front about the fact that
I don't know hacking technique and I don't think it's particularly
useful and I educate customers as well as I can on the issues and
if they don't buy it, there are always smart customers to find.
As soon as you start playing that "secret squirrel" crap you're
vulnerable to whoever can show that your bag of tricks is
mostly empty. There are a huge number of security practitioners
out there who are basically poseurs who pretend to know a lot
about hacking so they can make money doing useless penetration
tests - and they run back to their hotel rooms and use Nessus.
They're vulnerable to real hackers making them look bad because
they have chosen to compete on the wrong playing ground.

Secondly, there's the notion that a security person's security
is an indication of how well they can secure others. In other
words, if you're going to come in to my network and audit my
practices, you'd better not have been hacked yourself. In a
sense, this is reasonable because if you're expecting me to
help you secure your network, I ought to be able to demonstrate
I can secure my own. But we place a ridiculous premium value
on this demonstration. I was at a conference recently and some
of my peers jumped all over me when I sent my password in
the clear to my ISP's POP server. As if I should care? I don't
do anything _important_ via E-mail and any damage I'd suffer
is limited. Their reaction was "it'd be a professional embarrassment!"
but that's not true. Anyone ought to be able to understand that
even cowboys get the blues, sometimes. Even security
companies' websites get hacked. This isn't news - or shouldn't
be. But by holding such a high expectation, we're making our
practitioners vulnerable to this kind of blackmail from the hackers.
Hey, dear customer - if even _I_ get hacked, then you _really_
need me. :)

If you're insecure, your fear gives someone a lever to control

>In other words, like the
>quotes cited in the article mentioned in the forwared posting below, some
>are paying a verbal ransom to these little brats. At least one security
>related list is being pretty much held hostage to the onslaught of spew
>mentioned in the posting and article it cites.

One other possibility (I can't estimate the likelihood) is that since
the posting is anonymous, it's completely faked. A number of years ago
(1997) me and 2 friends had too many tequilas at a conference and found
ourselves outlining the core of a simple disinformation campaign that
would create a "Hacker Elite" identity trivially easily. All it would
take is a few cooperating members outside the hacker circles and you
could pretty quickly create hard-to-penetrate covers. After all, your
cover as a hacker is tough to penetrate if you can always lapse back
into being mysterious, dodgy, uncommunicative, and anonymous. "Of
course I won't show you my secret technique! It's _secret_!!" All
it'd take was cooperation from a few high-profile security practitioners,
web-site admins, and open source coders and you could create a truly
towering reputation out of nothing, or next to nothing.

Some may say it's already happened.

Then again, this post could also be disinformation. ;) You tell me.

(* not trusting the expertise of an expert you just paid a ton
of money for is stupid by any definition I can think of...)

Marcus J. Ranum - Computer and communications Security Expertise  (

Relevant Pages

  • [Full-Disclosure] Administrivia
    ... directly related to security concerns per se. ... I consider myself to be a hacker, ... >> was the motivation in days gone by. ... >> The idea that with great power comes great responsibility is one that I ...
  • Re: Mac OS X hacked under 30 minutes
    ... a Swedish Mac fan posted a web site that challenged all ... updated it to Mac OS X 10.4.5 and fixed some security issues. ... As there was no cash prize associated with the contest, ... The hacker, known only as "gwerdna," explained what he ...
  • RE: 0-day i hear $1000?
    ... security industry, then after money is confirmed deposited to fund, hacker ... Security firm 123 implement patches for brain dead clients. ... CUA codes the exploit ...
  • Re: A Challenge
    ... It is not a crime to be a hacker. ... > This section is called paranoia. ... > criminals as a result of the popular media. ... We didn't design some new security ...
  • Re: A Challenge
    ... It is not a crime to be a hacker. ... > This section is called paranoia. ... > criminals as a result of the popular media. ... We didn't design some new security ...