From: InfoSec News Date: Tue 20 May 2003 - 02:18:20 CDT http://www.wiretrip.net/rfp/txt/evolution.txt Times change. People change. Or more correctly, people evolve. Their needs become different and their desires shift focus. What was a demand yesterday is useless excess today; what was leading edge then is ancient technology now. And the security industry is no different. The security industry is a much different place than when I entered it (although I must give my proper respects to those who were in the scene way before I ever came around). My reasons for being back then were very clear to me: open and free research--education of myself and others. At the time many others followed the same principle, and all was well. Of course, (in)security flourished, and that means commercialization was inevitable. Granted, I don't believe your general commercial security service offering is that bad. But that's only step number one of commercialization. Once market viability was proven, then came the rush to create commodities. Security is now sold in a red box with a support contract. And this is where things went downhill. I'm not the only one who feels this way. A large part of the Anti-Sec movement was based on the same cause; we just differ on the response. Granted it's naive to think things will, or even can, change back to the way they were. I think that's the oversight many have. We can't go back. There's very few instances of retrograde in evolution--particularly retrograde sparked/lead by a small group. And even the entire security industry would amount of a small group in the grand scheme of things. A good example is the meaning of the term 'hacker'. At one time it meant 'tinkerer', or someone who had an exceptional specialized skill or understanding of a subject. The subject didn't have to be security-related, or even computer-related. Nowadays the meaning of the word is different. It imbibes criminal connotations, largely due to media misuse. Worse, we can't change the fact that people have accepted the new meaning. But I still naively clung to the old meaning, and evangelized it's proper use as much as I could. Now I realize I was in err. No one can unbrainwash the world into reclaiming the original meaning of the term hacker. It's a dying battle; the damage has been done. The old meaning of the term is extinct. Except 'hacker' is not the only thing which has changed. In particular, the reasons and drives in the security research community have changed--not so much for the better or worse, but rather 'for the different'. What was free and open research is now profit, marketing, and illicit. Vendors stepped in and took control, and the government started providing oversight. Some will say the Wild West was tamed. I say the Free West was put under lock and key. Well, 'lock and key' is definately extreme. It's as oppressive as you let it be, but it's hard to not feel the onerousness with all the security-related legalities that have crept up. Do the DMCA et. al. really retard the 'bad guys'? After all, the DMCA is just a law, and the bad guys, by definition, are not law followers. They could care less. But it does impact the 'good guys', particularly those doing security research, like myself. It's things like the DMCA and the possibility of a misguided lawsuit at every turn which make me happy that, to this day, I have stayed behind my nym, as flimsy as a shield it actually is. Anyways, the security industry has transgressed the parameters in which I chose to operate. Since the beginning I have always said that I am doing what I do because I like it--it is *fun*. Well, it was fun. But it's not anymore. So now I'm left with the choice of leaving the security industry entirely, or adjusting my expectations to better fit to today's snapshot of security. This leads to the refactoring. I've decided to set new parameters for myself and how I interoperate with the rest of the security industry. My wiretrip website is one obvious change. There's enough computer security sites and blogs on the Internet that the world doesn't need another--nor do I have any intention of doing what everyone else is doing, without providing any significant unique value. Therefore I consolodated and reduced the website to the bare essentials. Superfluous material (for the sake of superfluous material) is no more. Whisker is also no more. The demands for technical support, and the requirements for keeping it updated, far outweigh the benefits of continued development. I can't compete with the commercial scanner vendors who have funds to contribute to development. I also can't compete with large projects which have many hands to help maintain code bases. This doesn't even take into factor the general futility of CGI scanning in this day in age. So it's done. Also done are my speaking engagements. I don't plan on answering any more CFPs or accepting any more invitations. I do not have anything left to speak about, nor anything I wish to speak of that would benefit anyone other than curious researchers. I'm going to enjoy being in the crowd for once. I've had a lot of good moments in the past few years in this industry, and I'm sure there's still a few more to be had. I will still be around, my research will still continue, and development of libwhisker will still happen. But the days of free security research for the sake of free security research are numbered, if not completely over already. Don't lose sight of security. Security is a state of being, not a state of budget. He with the most firewalls still does not win. Put down that honeypot and keep up to date on your patches. Demand better security from vendors and hold them responsible. Use what you have, and make sure you know how to use it properly and effectively. And above all else, don't abuse or take for granted sources of help and information. Without them, you might find yourself lost or inconvenienced. - rfp May, 2003 - ISN is currently hosted by Attrition.org