Thursday, August 14, 2008

Grown yes, but matured?

Like many people, I often find myself thinking some people should "just grow up". I sometimes even find myself thinking that about the entire "security industry".

<tangential rant> The fact that we need a ginormous security industry just proves the software industry needs to grow up. </tangential rant>

This week at BlackHat USA 2008 and DefCon16 there was a lot of childish behavior- here's a little sample:

By individuals:dc-16-logo

  • The guys who got arrested trying to break into the computer room at the Riviera.
  • The guys who got arrested for hacking the casino comp cards.
    • That's gaming fraud, which means the Gaming Commission- if convicted, those folks may be in Nevada for a while.
  • The French journalists who sniffed the wireless in the BlackHat press room and tried to get captured credentials listed on the "Wall of Sheep".
  • The people who hijacked, defaced, and later redirected Alan Shimel's blog and posted his private information to the Full Disclosure list.
    • Be aware that Alan's site was redirecting to graphic pornography as I write this.

By quasi-government agencies:

  • The MBTA (Massachusetts Bay Transportation Authority) for trying to suppress research into their failures to secure the "Charlie Card" fare system.
    • They got a restraining order and stopped the talk, but the presentation slides were already out on the Internet.
    • The MBTA's attempt to suppress the information backfired as the story was picked up by a multitude of news sources.

By security vendors at BlackHat:

  • Two words: Booth Babes. The Booth Babe thing is bad enough at the auto dealer convention (past life issues, still in therapy over it)- but at BlackHat?
    • Fortify Software gets a special mention here for gross lack of taste AND setting up their booth so that they added to significant traffic jams in the halls.
    • Fortify also gets clueless points for showing up at a security event and offending people just weeks after publishing a FUD "White Paper" on the dangers of Open Source software.

So here's where it gets weird- after this week I feel pretty good about the industry's maturity. Most of the people walking the halls, sitting in (and leading) the sessions, and participating in the competitions- they spend their days working to make the world's systems and networks more secure. From the C-level executives to the hobbyists to those of us in the trenches, almost all of these people are on our side. Sure, there are some disagreements on the best way to do things, and more than a few oversized egos- but we can work on that.

Of course there were some bad people there, and more than a couple of idiots- but in any group of ~8500 people you will get a few folks you would rather not be around.