Re: [fw-wiz] Re: Ethics, morality and the industry

From: Marcus J. Ranum (
Date: 10/29/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Ethics, morality and the industry"
    To: Paul Foster <>,
    Date: Fri, 29 Oct 2004 12:37:00 -0400

    Paul Foster wrote:
    >>IMO. Crime should not pay.
    >How so? He talks about how he would exploit security systems, and this is his area of expertise. The guy spent many enjoyable years in jail (on his knees?) which does not sound like 'crime pays' to me.

    It cost the taxpayers a hell of a lot of money to put him in jail,
    and even more to keep him there, and to put him back, etc.

    Meanwhile, his book is selling well - I can probably get the
    exact number from my publisher if it matters, but I'm sure he's
    made a pile off of it. A decent seller like that can net the
    author between $50,000 and $100,000 or even more. Not
    bad, considering that the book is basically an extended
    discussion of how much smarter than the reader (which is
    true - after all, they paid good money for the book...) Mitnick is.
    Speakers like Mitnick or Abnagnale, depending on their
    star trajectory, demand between $5,000 and $15,000 (and
    up - my guess is that when the movie came out, it was
    a whole lot more...) for a keynote.

    And basically, what are these guys selling? Are they
    selling solutions? No. Are they telling people, "Don't be
    a convicted criminal like me?" No. Are they telling people,
    "Here's a problem, and here's why it's hard to solve." Yes.
    But the bad news is we _already_ know about the problem
    and we _already_ know it's hard to solve. Getting inside
    the mind of the criminal is interesting but it's not super
    helpful. Use your brain for about 20 seconds and you can
    figure out 95% of social engineering. Do you really need
    the details about how stupid some of these guy's victims
    were? Do you really need the yuk-yuks? No; the message
    these clowns offer is not particularly valuable.

    If these guys had useful insights, they'd have been making
    loads of $$ as con$ultants or product builders, solving the
    problems that they chose, instead, to be part of. Hmmmm...
    Maybe they're not so smart, after all? Security practitioners
    have been around long enough to understand that there are
    some problems that are pretty much constants: trust, authorization,
    transitive trust, etc. They're like laws of physics: friction, inertia,
    etc. You don't see physicists paying lots of money to some
    rocket scientist who stands up and says, "Nyaa nyaaa nyaa!
    your bearings STILL have FRICTION!" -- having someone tell
    security practitioners that complex trust-based systems have
    authorization problems is about as useful.

    But you want to know who's really the idiot? The idiot
    is the person who plunks down good money for Mitnick's
    book, or pays a jacked-up conference attendance fee so
    some ex-con can stand there and say, "you are SO STUPID
    I can fool you ANY TIME" That's not just stupid - that's
    "double stupid" And then there's "triple stupid" which is
    trying to defend and justify the double stupids. :)


    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Ethics, morality and the industry"