Re: [fw-wiz] Re: Ethics, morality and the industry
From: Marcus J. Ranum (mjr_at_ranum.com)
To: Paul Foster <Paul.Foster@dmtsystems.net>, email@example.com Date: Fri, 29 Oct 2004 12:37:00 -0400
Paul Foster wrote:
>>IMO. Crime should not pay.
>How so? He talks about how he would exploit security systems, and this is his area of expertise. The guy spent many enjoyable years in jail (on his knees?) which does not sound like 'crime pays' to me.
It cost the taxpayers a hell of a lot of money to put him in jail,
and even more to keep him there, and to put him back, etc.
Meanwhile, his book is selling well - I can probably get the
exact number from my publisher if it matters, but I'm sure he's
made a pile off of it. A decent seller like that can net the
author between $50,000 and $100,000 or even more. Not
bad, considering that the book is basically an extended
discussion of how much smarter than the reader (which is
true - after all, they paid good money for the book...) Mitnick is.
Speakers like Mitnick or Abnagnale, depending on their
star trajectory, demand between $5,000 and $15,000 (and
up - my guess is that when the movie came out, it was
a whole lot more...) for a keynote.
And basically, what are these guys selling? Are they
selling solutions? No. Are they telling people, "Don't be
a convicted criminal like me?" No. Are they telling people,
"Here's a problem, and here's why it's hard to solve." Yes.
But the bad news is we _already_ know about the problem
and we _already_ know it's hard to solve. Getting inside
the mind of the criminal is interesting but it's not super
helpful. Use your brain for about 20 seconds and you can
figure out 95% of social engineering. Do you really need
the details about how stupid some of these guy's victims
were? Do you really need the yuk-yuks? No; the message
these clowns offer is not particularly valuable.
If these guys had useful insights, they'd have been making
loads of $$ as con$ultants or product builders, solving the
problems that they chose, instead, to be part of. Hmmmm...
Maybe they're not so smart, after all? Security practitioners
have been around long enough to understand that there are
some problems that are pretty much constants: trust, authorization,
transitive trust, etc. They're like laws of physics: friction, inertia,
etc. You don't see physicists paying lots of money to some
rocket scientist who stands up and says, "Nyaa nyaaa nyaa!
your bearings STILL have FRICTION!" -- having someone tell
security practitioners that complex trust-based systems have
authorization problems is about as useful.
But you want to know who's really the idiot? The idiot
is the person who plunks down good money for Mitnick's
book, or pays a jacked-up conference attendance fee so
some ex-con can stand there and say, "you are SO STUPID
I can fool you ANY TIME" That's not just stupid - that's
"double stupid" And then there's "triple stupid" which is
trying to defend and justify the double stupids. :)
firewall-wizards mailing list