Reasons Forgotten.

Recently, correlating with both the publication of a humor ezine known as ~el8 
and the speech given by gweeds at h2k2, there has been a tremor within the comp
uter underground. The backlash towords the security industry and what it repres
ents and how it contrasts with the so called blackhat hackers has come into pla
y. The idea's represented by gweeds and ~el8 however only begin to delve into a
 much greater issue. The original intent of hackers as represented through earl
y texts and what was once the thriving computer underground was one of explorat
ion. This exploration drove not only the earliest hackers in labs at mit, but a
lso what came to be known as the golden generation of hackers who explored upon
 and built the technology which is now valued so greatly by billions. Access to
 computer resources was guarded however, and those wanting to play and understa
nd on computer systems at the time had to circumvent the security which was put
 in place. The corporations responsible for computer security at the time decid
ed that the best way to understand the tactics and methodolgies used by those w
ho defeated the systems in place was to hire them. Thus a bond slowly grew betw
een the computer security industry and the computer underground. The original i
ntent of those accessing computer systems illicitly was however never simply to
 develope techniques in which security could be broken. It was as it is with al
l ethusiasts and explorers, the access involved. Fast forward to now, whats hap
pend. The computer underground is tied so deeply into the computer security ind
ustry that hackers are almosted expected to work within the computer security i
ndustry. The skript kids of today all boast to be computer security experts, Th
e reasons of exploration long forgotten. Its been a long time since there have 
been discussions related to the actual results of actions. The actuall knowledg
e gained. A long time since information regarding systems unknown and networks 
out of reach has come to light. The majority of development which comes out of 
the computer underground has been related to methodologies rather then advancme
nts. I miss those days.


Moving on, there are 2 great misconceptions presented by the computer security 
industry. The first is that software vulnerabilities are 2 blame for all the wo
rlds intrusions. This to anyone actually involved with securing computer networ
ks should obviously be untrue. The first thing they teach you in any military c
lass, any civilian physical security class, any home security workshop, and in 
almost every computer security class offered is that Security is all about Trus
t. What does this really mean? Take a museam which locks all its doors and does
nt invest in a guard or a security system. The next day the windows are broken 
and everything inside has been looted. Is it the windows fault for not being st
rong enough. Or the museam's fault for trusting in overtrusting the security pr
ovided by the locks and windows? 
Apply this to computer networks. "Computer networks are built on trust" <- ( an
other key phrase presented in every security/networking class), Software writte
n for networks and computer systems is also built on trust. There will always b
e vunerabilities within common software written for everyday people to interact
 with because it has been written to trust the computer its on/network its on/p
erson who's operating it etc. etc. etc. The fact that software interacts with s
omething at somepoint means it inherently trusts that interaction to be safe. E
ven software specificly written with security in mind still has all these point
s of trust, and also trusts joe shmoe who wrote it to not have made any mistake
s/there not to have been any advancements within vulnerability research since i
t was published etc.... Those of you expecting software to be written completel
y bug free have probably never been developers, there are always bugs, to EVERY
 piece of software EVER written, everyday people find thousands of them, most n
ot security related but you see where Im going. Somehow the computer security i
ndustry, well most of it anyway, seems to have perpetuated the idea that softwa
re development and security are interelated at the highest level. This has culm
inated with an entire culture dedicated to rooting out software vulnerabilities
, and has made ISS, @stake and a bunch of these other computer security compani
es, millions of dollars. As kevin mitnick once said, "while you were looking aw
ay, i could have stolen your laptop and all your files"...... Draw your own con
clusions.


The second misconception thrown out there by the majority of security companies
 and those loveable so called "whitehat" hackers, is that they actually help br
ing up the level of security by spreading information related to vulnerabilitie
s and informing the public of how evil hackers can screw up their computers. I 
cant believe this information is spread so recklessly. Major corperations of co
urse have security people who are on top of things, and send out notices to the
 admins to update there software and if the security professional is competent,
 there is a limited amout of exposure do to the inherent distrust of any one pa
rt of the system for another. Security professionals wont be embarassed because
 they update there software to the latest and greatest availible and limit ther
e exposure as such. Everyone else who probably really dont care about security 
enough to stay on top of things is of course screwed. Exploits circulate and da
mage is done to those people who the security folk deem as "lame anyway. When a
sked if they'd rather have some hacker kid exploring the computer's of sony or 
some random guy using their credit card i think most people would go for the fo
rmer. And to those who say it happens anyway, it never happens on such a widesc
ale when the information is private as to when the information is public. 




To conclude, This security scene and the computer underground it has so happily
 commercialised. has become another example of the silicon snake oil which so g
alantly led the economy for the last couple of years. Everyone is willing to se
llout everyone else for the almighty dollar. It is sad to see those formerly ad
venturous souls tied down researching vulnerabilities which help noone but big 
buisness, and big brother. The words of the mentor, the drive to explore and th
e private nights at home, discovering machines and places noone had ever been b
efore have been replaced by countless nights spent simply as low-level software
 developers, irc ninja's and security professional hopefulls. In any scene the 
true reasons for having it always lose out to commercialization at some point. 
Better reserve those defcon tickets now.