Is Security Being Commercialised and is it killing the "hacker scene"?

[MrLinus]

This originally was posted in Full Disclosure and recently resurfaced at another website I visit. While a bit crass, it does have some points. I'm curious as to what others think. Much like the Internet itself it has gone from a place of information to commercialization (recently however this has died down and seems to be settling into somewhat a balance between the two).

I don't think we can deny that Security has become commercialized. I think that is a reality. But I also think that the "hacker" (however you define them) has also become commercialized. (I want my Poulson action figure!!!). I wonder if this is a good thing. Looking at AO, which as a website, has been commercialized prior to being purchased by JUPM (the number of books that glorified AO as THE site to visit...). Kevin Mitnick seems to be enjoying the fame and limelight..

"Hackers" today are not as indepth as they were in the past. Whether that's a good thing or not I don't know. I think it is a reality in that there is just so much and wanting to learn it all, you really only get a few seconds here and a few seconds there. (whoever said that computers were a time saving device should be shot! I haven't wasted so much time in my entire life until I got hooked up and connected! )

What do you think?

I realize that people will have varying opinions in the matter. Please keep the ad hominim attacks to a minimum. Everyone has the right to their opinion, no matter how stupid it may be

Many hackers (who also view themselves as security experts) are pissed off by the landslide of new people, products, and money entering into the security space. You hear about how things are changing (for the worse), and posers, and blah, blah, blah. Hell, you even got hackers releasing [nothing short of] press releases about why they're leaving the scene because the scene is just too different nowadays.

Yes, it's true there are many more people becoming security "experts" (using this term as loosely as possible) every day. And yes, it's also true companies are running to the marketplace faster than Whitney Houston to a line of coke. And yes, it's also true that corporations are driving this trend by pouring obscene amounts of money into these companies without understanding their halfass solutions. But, honestly, you really can't ask for a better situation. If blackhats aren't *embracing* this trend, they're missing the boat.

Of course, the obvious benefit: The more people pulled into this space from various other backgrounds, the lower the average security administrator's level of knowledge becomes. This "dumbing down" happens for several reasons, but the most significant is the way in which these new generations of security administrators are educated. Typically, they are forced into these positions by employers that realize they desperately need security staff. So, they move some random people into said positions. Not uncommonly, network admins or sys admins that sucked in their previous positions. Now you've got some guy sitting there trying to figure out which way is up, so where do they turn? To vendors. Be it a vendor of hardware/software solutions, or a vendor like SANS (selling propaganda, errr, I mean, "education" about open source products backed by commercial entities which SANS purportedly invests in).

Since vendors are offering solutions criminally acute in focus (especially compared to the visibility required to solve the "problems" said vendors are trying to address), the vendor "educates" the willing client about the threats the client faces and how the vendor can save the client's world. Since many admins have been leaning about hackers and threats from the perspective of vendors who are trying to make a sale -- typically sales people or technical sales people like system/field engineers, like the blind leading the blind -- they have no concept of the *true* threats they need to be concerned about. It’s not uncommon to hear people talking about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote access to a system. Good, keep focusing on these "attacks." (And YES. ALL the other attacks these vendors focus on are just as lame as these examples). Typical hackers these days need to worry about power surges more than security tricks.

Although it grates on the nerves of everyone who knows better to see all these pen testers running around selling Nessus reports, or hear security admins spouting off illogically about how they use product XYZ to accomplish all these lofty objectives... Well, it also gives you a wide open map into the small areas they're actually looking into protecting, and the vast open areas they have no clue how to protect, much less watch, or even what the hell to look for if someone even did notice an irregularity.

So bring it on! We need *more* new security people and more new products to create more confusion, ambiguity, and false senses of superiority. Think security consoles only being released for Windows anymore doesn't signify anything?! Come on out, the waters fine!

CREDITS GO TO : Uncle Scrotora at hushmail

[SDK]

Security Boom reminds me a dot Boom in 1999-2000. A lot of companies see business opportunity here and try to profit of them. Because it’s somehow a new market, the market is very confusing with a lot of product that doesn’t work together yet. In a few years, half the companies will have done bankrupt or remove their security software from the market.

This is a new market. New market has a lot of up and down until they stabilized after a few years. Now, the customers just have to hang tight in here until it stabilized.

[Reelman]

Security/Hacking becoming commercialized is a good thing to the extent that it brings more information about the subject into the mainstream. Is all that information good or valid, no, but by bringing the subject into the marketplace of ideas more people can participate and have an opportunity be educated. I am by no means a security expert or a hacker but the biggest problem I encounter in the corporate and private matters is that users are totally ignorant about computer security. In my experience security education and training in the corporate world is totally lacking. Schools are not for the most part teaching security and most private users don't have the first idea about security. I am not advocating everyone having a security cert (more commercialization) or spending every waking moment studying security but learning about things that I hope are becoming common sense to most IT people, strong passwords, anti-virus (free or commercial), backups, and a firewall on your broadband connection.

Some bad things have come from the commercialization of security/hacking, companies selling a "solution" that will make a company totally secure is a farce. Foolish companies buying the totally secure solution is almost as bad but "let the buyer beware". "Average" users being so scared(or overwhelmed) of "hackers" because they heard they were bad in that movie or on the news that they get Chicken Little syndrome and give up is also a problem with commercialization.

Is commercialization security/hacking a bad thing, no. Over commercialization of security/hacking is a bad thing but I don't think we are there yet. Education is the key, sadly it is not free (it takes time) and most companies and users are not interested.

[neel]

In my experience the disadvantage grande from the comercialisation and the growth in internet users, is the spam. A nice example I found in me mailbox: spammail about spamblocking software... Cheap advertising for the companies and the parasite companies selling junk to solve it won't actually feel like solving the problem... Making the perfect spam-filter is the most stupid thing you can do from the economics point of view.

[RoadClosed]

The article does hit on some truth, every Tom and Jane are calling up wanting to "show" me how they can "protect" my netowork by selling products they are clueless about. It is the buzz of the industry and there are dangers from company's buying into a false sense of security just because they have a "box" plugged into the netork. It might work for a day or a week but like all systems, without knowledge and time, which equates to the energy of a sensible person, it will fail.

[chsh]

Personally, I think the motivation for hacking has changed. The people with the real technical know-how nowadays tend to really primarily be sysadmins, or people studying to be sysadmins. It makes sense any way you regard it. The difference now is that instead of being blackhats, people can actually make money by selling their 'security analysis services'. There are still some people who think that things like credit card fraud is the way to go (one of my uncles is having an issue with a credit card company over this), but the number is dwindling. It's a good example of something traditionally seen as breaking the law suddenly finding it has a viable commercial existence.

Another interesting discussion IMO is whether there would be this slew of vulnerabilities being exploited and discovered if there weren't so many organisations hellbent on breaking everything.

[MrLinus]

Another interesting discussion IMO is whether there would be this slew of vulnerabilities being exploited and discovered if there weren't so many organisations hellbent on breaking everything.

You mean like Full Disclosure et al? It's almost like Microsoft's comment that exploits aren't discovered or put on the 'Net until after the patch was released. In some ways, I wonder how true this is. I look at many of the exploits and such that exist and they may have something there in regards to a fair amount of the kiddies and wannabes (not that I'm a programmer of anything beyond "Hello World!"). Either there is a very small and well hidden underground of 0-day exploits or it's not being done any more.

Rarely do we see something new. Perhaps this is a side effect of the "commericialization" of security? Maybe we are coming up with better mousetraps (human nature will always break them) but perhaps the lack of desire to do things, better basic/default security enabled and more OS complexity is making it more tough for those kiddies to do things while the true "black hats" are limiting there attacks to things that are worthwhile financially (that is, becoming a white hat penetration tester).

Hrmm... gone on a bit of a tangent.

Back to your question: if we weren't testing so much and publishing it so much, would it still exist? and to the same degree? I suspect yes because even if we weren't sharing the info about what was found and learning new ways to prevent this from happening (e.g., CPUs with buffer overflow controls), the kiddies would certainly be trading this info. IMHO.

[chsh]

Originally posted here by MsMittens
You mean like Full Disclosure et al? It's almost like Microsoft's comment that exploits aren't discovered or put on the 'Net until after the patch was released. In some ways, I wonder how true this is. I look at many of the exploits and such that exist and they may have something there in regards to a fair amount of the kiddies and wannabes (not that I'm a programmer of anything beyond "Hello World!"). Either there is a very small and well hidden underground of 0-day exploits or it's not being done any more.

Rarely do we see something new. Perhaps this is a side effect of the "commericialization" of security? Maybe we are coming up with better mousetraps (human nature will always break them) but perhaps the lack of desire to do things, better basic/default security enabled and more OS complexity is making it more tough for those kiddies to do things while the true "black hats" are limiting there attacks to things that are worthwhile financially (that is, becoming a white hat penetration tester).

My two cents: You know admins are lazy, why bother doing more work than necessary to exploit a few hundred boxes? Just look up the details of an exploit at SecurityFocus, CERT, et. al., and write something to automate the exploit procedure and release. It worked for the two major and four minor versions of Code Red, Nimda, Slammer, etc., etc.. Almost all the recent big worm-viruses I can think of actually.

You do make an excellent point. With the commercialization of security, we are no longer seeing people live in an 'underground' discussing exploits and so forth. Now they are companies, out in the public eEye (), and are seen as doing the industry a favour by discovering these vulnerabilities, whereas before, they were doing things in secret, and villified for exploiting these vulnerabilities.

Back to your question: if we weren't testing so much and publishing it so much, would it still exist? and to the same degree? I suspect yes because even if we weren't sharing the info about what was found and learning new ways to prevent this from happening (e.g., CPUs with buffer overflow controls), the kiddies would certainly be trading this info. IMHO.

I suspect similarly, and in a way, I think the move to a commercialized security industry was created by the following circumstances:
- Old-timer hackers now acting as Sysadmins, knowing the tricks of the trade, and realising there was money to be made.
- {Cr|H}ackers kept up with software, and developed new methods of exploiting it.
- The growth of the computer industry as a whole necessitated that vendors respond far faster than before.
- The above in turn required more security researchers.
- Repat as necessary.
It seems the cycle was kickstarted by that first generation of cr/hackers who got jobs as systems admins. Until that point there had been little exploitation going on, thanks to basically a lack of technical know-how on the part of the people around at the time. Sure, exploitation occurred, but nowhere on the scale we are seeing it now. Your average virus exploits more software nowadays than the average old computer was capable of running at one time.
As much as I may think useability-wise it comes second to Linux,I have to say, the BSDs (OpenBSD chiefly) have made some good inroads into exploit prevention. That the kernel of the OS can detect and prevent forkbombs (just one example) is IMO a major achievement. I can think of no other operating system that is making similar progress.

[hypronix]

I agree largely with the article, especially concerning the automatization of sys-admins. I mean, after a 3-month course into network security, a person that has no prior knowledge or inclination towards computers can hardly protect a network against a dedicated hacker. Because they only know to click where they were taught to click. SO for companies that want to save money like this, I guess it is a good thing that they get penetrated [well, hopefully by a hacker abiding by some ethic code, regarding stealing private information or destroying data on the servers]. It is the only way they can make the right choice and find somebody that knows their thing.

And for all the people that say that the network security field [and, more generally, computer science] is an area where work can hardly be found... There is a difference between having a certification and having a brain to help with that certification.

[foxyloxley]

For my 0.02c worth:
the biggest reason that I can see for the 'lack' of an 'underground' ethos, is the one of advance. IT is expanding so fast that it is damn nigh impossible to keep abreast of present trends, let alone develop a deeper understanding of the system that you use at work / home.
It seems to make the carrot not worth the stick ? in that todays users are fed with a diet of
results NOW.

From this advance has sprung a massive increase in the number of computers in use, in virtually anything you can think of ( think of somewhere they are not, and you could have a money spinner? ) one thing in common is the OS complete with the full office kit, and DTP set up. All set up ready to go, the paperwork extols how user friendly their software is.

I started out with W3.11 on a 486 DX2 66MHz monster !! the total number of lines of code was, I believe, around 10 million, a number far above the average Joe's capability to visualize. Now W2K Pro is around 50 million lines, and by the time I feel (really) competent about the system, I fully expect W3K to be around

Now go back to the beginning, and Captain Crunch ? and all the phone phreaks, who found a way to utilise the phone system using a whistle !!! these were the days when the underground ethos was in full swing, as there was no other way to discover anything of real import without working at it.

NOW; you can Google for an answer, or for the terminally lazy, the WAREZ sites. Yes, someone has to put it up there, but that is the point? someONE.

And remember that in the beginning (almost) everyone that has attained a high position in the IT world was a 'Hacker' maybe not Mr Gates, but Mr Jobs definitely.

I can foresee a time when the development of the computer by the computer, starts to be limited by the ability of the user to make anything of it ? and this is where I can see the 'traditional' role of the hacker disappearing, not through commercialisation, but through the sheer volume of data available, that, and the increasingly complex OS's that are being talked up at present. Yes there will still be vuln's to be found. BUT, the users of that day will NOT be prepared to put in the hours to find and exploit as they once did.