http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/
This should cause some nice stirring of the preverbal pot.
Have you ever heard of a terrorist referred to as a "demolition engineer?" How
about a thief as a "locksmith?" No? Well, that's because most fields don't
share the InfoSec industry's ridiculous yet long-standing inability to
distinguish the good guys from the bad guys. Perhaps we're just in one of those
moods lately but it seems to be getting worse. It's far too easy for anyone who
has anything to do with information security to be labeled (by themselves or by
others) a "security researcher" without regard to their behavior. "Security
Researcher Breaks This" and "Security Researcher Exposes That" say the
headlines. Ugh; we really need to clean up our language. This begins with
setting a few principles and regularly using more accurate descriptors in our
publications and daily conversations.
Why does this matter? Well, it's a matter of principle: One is either part of
the problem or part of the solution. Problem-makers and Solution-makers should
no more have the same label as terrorists and engineers. Sure, they both
interact with explosives in their daily business but they put their skills to
vastly different uses. Is there a reason we must continue to label people by
the elements of their trade rather than the merit of their deeds? We think not.
We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use
the following definitions:
* Security Researcher: One who studies how to secure things and/or how
things are not secure in order to find a solution.
* Security Practitioner: One who applies the findings of the Security
Researcher in order to make things more secure.
* Narcissistic Vulnerability Pimp: One who - solely for the purpose of
self-glorification and self-gratification - harms business and society by
irresponsibly disclosing information that makes things less secure (or
increases risk).
* Criminal: One who actively subverts security without authorization or
deliberately creates ways for others to do so.
It's time to draw a line in the sand. If you too are tired of seeing criminals
elevated to a podium of legitimacy and bestowed the same job title you possess,
join us. We'd be grateful to have the company.
*****
Update: I put this as a comment but I felt it needed to go as an update to the
main article. I enjoy (many of) the comments and healthy debate on this
important topic...but please stop using analogies that compare the disclosure
of software/hardware vulnerabilities to auto part defects and sharks in the
water. Whatever your stance on disclosure, this line of logic simply does not
apply. If you make known an auto defect or shout a warning to people about a
shark in the water (I avoided a shark attack as little boy bc of this, btw),
you DO NOT INCREASE THE LIKELIHOOD OF ATTACKS OR THEIR SUCCESS RATE. Other
drivers will not start crashing into you at higher rate and more sharks will
not swarm from across the ocean to attack you because of this
knowledge/warning. You can deal with the vulnerability (defect/exposure)
without an increase in the likelihood of attacks or incidents.
If you tell the world about a flaw in operational software/hardware, you
increase the pool of threat agents that know about it, increase the likelihood
they will attack, and increase the chance they will be successful. All of this
happens when you make the information known. Therefore, risk is increased
unless the problem is addressed beforehand. No way around it. Argue as you
wish...just pick a different line of reasoning (notice I'm not even mentioning
the fact that auto defects and imminent shark attacks aren't typically
announced under a spotlight). -Wade
Protected by Websense Hosted Email Security -- www.websense.com
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
