-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Too bad it won't last - once all the newbies get CISSPs, we'll be screwed! Thanks Uncle Scrot, best thing I've seen on this list in a while!
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Many hackers (who also view themselves as security experts) are pissed > off by the landslide of new people, products, and money entering into > the security space. You hear about how things are changing (for the worse), > and posers, and blah, blah, blah. Hell, you even got hackers releasing > [nothing short of] press releases about why they're leaving the scene > because the scene is just too different nowadays. > > Yes, it's true there are many more people becoming security "experts" > (using this term as loosely as possible) every day. And yes, it's also > true companies are running to the marketplace faster than Whitney Houston > to a line of coke. And yes, it's also true that corporations are driving > this trend by pouring obscene amounts of money into these companies without > understanding their halfass solutions. But, honestly, you really can't > ask for a better situation. If blackhats aren't *embracing* this trend, > they're missing the boat. > > Of course, the obvious benefit: The more people pulled into this space > from various other backgrounds, the lower the average security administrator's > level of knowledge becomes. This "dumbing down" happens for several reasons, > but the most significant is the way in which these new generations of > security administrators are educated. Typically, they are forced into > these positions by employers that realize they desperately need security > staff. So, they move some random people into said positions. Not uncommonly, > network admins or sys admins that sucked in their previous positions. > Now you've got some guy sitting there trying to figure out which way > is up, so where do they turn? To vendors. Be it a vendor of hardware/software > solutions, or a vendor like SANS (selling propaganda, errr, I mean, "education" > about open source products backed by commercial entities which SANS purportedly > invests in). > > Since vendors are offering solutions criminally acute in focus (especially > compared to the visibility required to solve the "problems" said vendors > are trying to address), the vendor "educates" the willing client about > the threats the client faces and how the vendor can save the client's > world. Since many admins have been leaning about hackers and threats > from the perspective of vendors who are trying to make a sale -- typically > sales people or technical sales people like system/field engineers, like > the blind leading the blind -- they have no concept of the *true* threats > they need to be concerned about. It's not uncommon to hear people talking > about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against > Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote > access to a system. Good, keep focusing on these "attacks." (And YES. > ALL the other attacks these vendors focus on are just as lame as these > examples). Typical hackers these days need to worry about power surges > more than security tricks. > > Although it grates on the nerves of everyone who knows better to see > all these pen testers running around selling Nessus reports, or hear > security admins spouting off illogically about how they use product XYZ > to accomplish all these lofty objectives... Well, it also gives you a > wide open map into the small areas they're actually looking into protecting, > and the vast open areas they have no clue how to protect, much less > watch, or even what the hell to look for if someone even did notice an > irregularity. > > So bring it on! We need *more* new security people and more new products > to create more confusion, ambiguity, and false senses of superiority. > Think security consoles only being released for Windows anymore doesn't > signify anything?! Come on out, the waters fine! > > - - Uncle Scrot > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkAhJfcACgkQMqw+bEM+0IwBrgCdHjPTTam03ci3y2Rcb1e5KjXoWf0A oLJsz34n73K5RN66mzz1iu3WPeL/ =smcp -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
