Re: [Full-disclosure] Security Researcher Not Particularly Humiliated

I Agree
On 4/8/07, Raven Alder <raven@xxxxxxxxxxxxxxx> wrote:

Hiya --

> Security conference staff needs to do a better job of screening
> their audiences to prevent this sort of harassment during
> presentations. I must admit that I am afraid to present at future
> conferences if there is the possibility of being humiliated like
> this during my talks.

As the researcher in question, I didn't feel particularly
humiliated. Sure, I thought the guy was a troll, but I figured that he
was just being a jerk to me because he had some chip on his shoulder and
couldn't find anything to complain about in my talk. But really, his
big tac-nuke against me was that there was some undisclosed bug in
Apple's code? That's hardly my fault. I don't write their OS, and the
thing was fully patched, firewalled, hardened, and still got popped.
Shit happens.

I didn't go public with it because I wanted a smoking gun first.
Security is very much a "show me" industry, and I didn't want to make
claims that I couldn't substantiate. I did approach Apple, and they
pretty much blew me off. I sent them a detailed event report, offered
up my system for forensic analysis, and offered to help in any way I
could. They went to the press, gave a reporter my name (I had not gone
to the press), and dished some crap about how I let my boyfriend use my
computer and he probably did something to disable my firewall and cause
it to auto-own itself or something. Dude. My boyfriend does not have
admin permissions on my machine, for starters. Way to help, Apple.

After realizing that Apple were not my friends and were more
interested in their PR spin than they were in finding and fixing the
problem, I stopped talking to them. I had several OS X geeks have a
look at the system, and none of them were able to find anything more
conclusive than I did. Forensics geeks, same thing. So, I dumped the
filesystem for posterity, vowed that no OS X box was going on a hostile
network again, and reformatted the thing.

Sorry, folks, but I'm not going to share my filesystem dump with
people that I do not already know and trust. Don't even ask.

Not even if you're Apple. You leak my name to the press when
I'm trying to help you find your flaw, you get no more help from me.

All of this is pretty irrelevant to the talk I gave. Still, I
don't feel that audience screening is the way to solve the problem -- I
don't want to quash honest questions and interest in the projects I'm
working on, and I think any screening that wouldn't be trivially
defeated by lying-fu would be draconian enough to be detrimental to free
and open discourse. There are always going to be trolls. I think the
audience and convention response was about as good as it could have been
-- the troll got told off by several people, two of them with the mike,
but it was pretty clear that most people were more interested in the
technical content of the talk than they were in his effort to get my
goat. The conference organizers offered sympathy, and that was kind of
them; I believe the guy got pitched out of the con for going on to
harass a few other folks too. Charming gent.

So, really, I don't think I have anything to be ashamed of, and
I certainly don't feel humiliated. I can see why getting ad hominem
questions might make getting up on stage more intimidating for future
speakers, but I don't intend to let that shut me up. [grin]



Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: Joel Siegel Tribute on Good Morning America
    ... screening was unconscionable and professionally unethical, ... If someone decided to say it in front of a theater audience, yes, that ... routines than for an audience heckler to ruin it for the audience.) ... It got attention, since most critics have an unspoken policy of not walking out on a movie except in extreme circumstances, and even then have to point it out in the review as professional etiquette/journalistic ethics. ...
  • Re: Christmas Package from the Blushing Root = Neato!
    ... critics in the audience at the preview screening. ... My point was that the credit is in the end credits clear as day, ... I could care less about Bob facts are in fact fact. ...
  • Re: Reseach Behind Powerpoint Features
    ... I just finished writing a paper for presentation at a conference on teaching ... "presentation" with slide after slide of bulleted text, ... the slides that accomplish little more than to distract the audience from ... If however, one is to convey ...
  • Re: Christmas Package from the Blushing Root = Neato!
    ... a cute film. ... a fine Kaper score. ... critics in the audience at the preview screening. ...
  • Re: Laurel and Hardy in 1.37
    ... >>> at a screening sponsored by our local ... >>don't ignore the boost caused by a large and enthusiastic audience. ... But today's 35mm film stock projected with today's light ... > to 35MM for projection. ...