Re: [fw-wiz] Re: Ethics, morality and the industry

From: Marcus J. Ranum (
Date: 10/29/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Ethics, morality and the industry"
    To: Paul Foster <>,
    Date: Fri, 29 Oct 2004 12:37:00 -0400

    Paul Foster wrote:
    >>IMO. Crime should not pay.
    >How so? He talks about how he would exploit security systems, and this is his area of expertise. The guy spent many enjoyable years in jail (on his knees?) which does not sound like 'crime pays' to me.

    It cost the taxpayers a hell of a lot of money to put him in jail,
    and even more to keep him there, and to put him back, etc.

    Meanwhile, his book is selling well - I can probably get the
    exact number from my publisher if it matters, but I'm sure he's
    made a pile off of it. A decent seller like that can net the
    author between $50,000 and $100,000 or even more. Not
    bad, considering that the book is basically an extended
    discussion of how much smarter than the reader (which is
    true - after all, they paid good money for the book...) Mitnick is.
    Speakers like Mitnick or Abnagnale, depending on their
    star trajectory, demand between $5,000 and $15,000 (and
    up - my guess is that when the movie came out, it was
    a whole lot more...) for a keynote.

    And basically, what are these guys selling? Are they
    selling solutions? No. Are they telling people, "Don't be
    a convicted criminal like me?" No. Are they telling people,
    "Here's a problem, and here's why it's hard to solve." Yes.
    But the bad news is we _already_ know about the problem
    and we _already_ know it's hard to solve. Getting inside
    the mind of the criminal is interesting but it's not super
    helpful. Use your brain for about 20 seconds and you can
    figure out 95% of social engineering. Do you really need
    the details about how stupid some of these guy's victims
    were? Do you really need the yuk-yuks? No; the message
    these clowns offer is not particularly valuable.

    If these guys had useful insights, they'd have been making
    loads of $$ as con$ultants or product builders, solving the
    problems that they chose, instead, to be part of. Hmmmm...
    Maybe they're not so smart, after all? Security practitioners
    have been around long enough to understand that there are
    some problems that are pretty much constants: trust, authorization,
    transitive trust, etc. They're like laws of physics: friction, inertia,
    etc. You don't see physicists paying lots of money to some
    rocket scientist who stands up and says, "Nyaa nyaaa nyaa!
    your bearings STILL have FRICTION!" -- having someone tell
    security practitioners that complex trust-based systems have
    authorization problems is about as useful.

    But you want to know who's really the idiot? The idiot
    is the person who plunks down good money for Mitnick's
    book, or pays a jacked-up conference attendance fee so
    some ex-con can stand there and say, "you are SO STUPID
    I can fool you ANY TIME" That's not just stupid - that's
    "double stupid" And then there's "triple stupid" which is
    trying to defend and justify the double stupids. :)


    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Ethics, morality and the industry"

    Relevant Pages

    • Re: Who creates the jobs
      ... Reid is scary stupid. ... If you earned money you get taxed. ... If you don't want to pay the high advertising budget of Green Giant, ... can always buy generic green beans. ...
    • Re: Why are machine shops so stupid
      ... and most likely its the family business. ... I have known, personally and directly, a significant number of small farmers who became qutie wealthy, even though, the way you calculate things, they should never have bothered to plant a single radish. ... The reason why machine shop owners, and so many other people too, appear to be so stupid, is that our common definition of "stupid" has itself become rather stupid. ... When money is what you want to "make", then it's become common to think in terms of expending as little time and energy as possible, consuming the absolute minimum in resources, and needing little or no knowledge or skill to TAKE POSSESSION of something that you didn't possess before. ...
    • paying to fast
      ... I am new to selling on E-Bay but have been buying for 6 years. ... This has happened to me 5 times now since I have started selling. ... The winner of the auction will immediately pay for item through pay ... He then asked me how he was supposed to send the money. ...
    • Re: C.O.D.
      ... fishing for people who are careless, clumsy, ignorant or stupid, and who ... will pay them a pile of money for an item that is not worth a pile of ... money in any way, shape or form. ... pay for it, if the people are too stupid and/or lazy to realize, ...