Hype and the Security Scene: Taking the “rep”

Ever since there has been a “hackerscene” there has been a constant struggle between its “inhabitants” and mainstream media over words. That’s all it is you know, “what’s in a name” to put it really (really 🙂 trite. Wether it was hacker, cracker or script kiddie, wether it was Kevin Mitnick or Mafiaboy (or neither) who represents the word “hacker”, there was and will always be disagreements and misconceptions in and about this scene when it comes to words.

Now of course we can rant and bicker about this all we want (and we probably will) but it won’t ever change anything really. Let’s face it, good intentions don’t sell. Ever heard that story about the two doctors? One of them was a world famous physician, curing terminally ill people and gaining quite the reputation as a “miracle worker”. The other one prevented people getting sick, so they wouldn’t and didn’t suffer a bit from the illnesses the first one cured. Which one do you think got all the fame and credit?

Hype sells. Does a company like ISS really think about warning the general public when it talks to the press about “hackers that are planning an online attack-fest this coming Christmas”? Nah.. if you’d want to warn the proper people of “discoveries” like this, you’d go through proper channels to notify incident response agencies and mailinglists like the Incidents and Bugtraq lists. And you’d take care that you actually had a “discovery” to report. It might just be me, but sentences like “the attacks, if they occur” don’t add much to the effect. But reading down in the same article, we get to the real punch-line:

“In parallel with its warning of impending DDOS attacks this Christmas, ISS has teamed up with NOCpulse, a newly launched provider of outsourced Internet infrastructure management services, to deliver managed security services to customers.”

Ahh so this was not much more than a press-release after all? It’s hard to note the difference nowadays, since well.. basically there is none.

The “scene” and the nasty side of recognition

The motivation for every person to be a “hacker” can be led back to either recognition, admiration, curiousity, gain or revenge. (Yes I liked the description in “Hack proofing your network”, sue me 🙂 The motivation for a company to throw out these press-releases could of course be the goodness of their heart. Unfortunately, being a company (and being human at that) gain is (and will be) the more operative word. Bruce Schneier wrote about it in an issue of Cryptogram earlier this year:

“Publishing a security vulnerability is a play for publicity; the researcher is looking to get his own name in the newspaper by successfully bagging his prey. The publicizer often has his own agenda: he’s a security consultant, or an employee of a company that offers security products or services. This is especially true if the vulnerability is publicized in a press release. Services like PR Newswire and Business Wire are expensive, and no one would do it unless they thought they were getting something in return.”

Basically that’s what it comes down to. Being human, no one does anything unless they think they’ll be getting something in return. This a very depressing outlook on things I’d have to agree. Unfortunately I don’t think it’s something we can change. However, some groups/people should try to refine their actions a bit. The ISS release is more smoke than fire sort of speak. All it does is spread the FUD. Of course for the company this is nice, FUD is more of a reason to hire security consultants than the actual feeling you need security (another grim, yet in my opinion realistic view). But this behaviour has kind of set a trend nowadays. Just for the hell of it, check the amount of other companies releasing statements on the matter afterwards, some even claiming they already knew it. Well I did too. This kind of attack has already gained so much publicity there are bound to be kiddies playing around with it out there. As well as there are bound to be kiddies who now have picked up on the idea. Well I guess that just gives the consultants more work eh?

Don’t get me wrong, I can understand the need for approaches like this to get the publicity (somewhat) and it’s definately not just the companies. The media and yes even (a lot) of people in the security scene themselves are led too much by the “gain” and less by the morality. But this is no excuse of course. If the companies are unwilling, maybe the media covering these releases should get a bit more picky. But then again, picky doesn’t sell, big “spread the fear” headlines do. Is this really what it has come down to? Well ask yourself this question about the media approach, after all the fuzz about the Microsoft “hack(s)” earlier this month, what is the resulting effect in the general public opinion? “Geez these hacker-dudes are pretty damn scary (.. I’d wish they’d lock ’em all up)” or “hmm I guess that if security policies at major corporations like MS sucks that bad, how the hell can they be expected to deliver better ones to us (.. heeey look that’s my creditcard number out there in plain view, thanks >fill in company name here<, they should lock YOU up)? In the end it IS all about appearances.