This originally was posted in Full Disclosure and recently resurfaced at another website I visit. While a bit crass, it does have some points. I'm curious as to what others think. Much like the Internet itself it has gone from a place of information to commercialization (recently however this has died down and seems to be settling into somewhat a balance between the two).

I don't think we can deny that Security has become commercialized. I think that is a reality. But I also think that the "hacker" (however you define them) has also become commercialized. (I want my Poulson action figure!!!). I wonder if this is a good thing. Looking at AO, which as a website, has been commercialized prior to being purchased by JUPM (the number of books that glorified AO as THE site to visit...). Kevin Mitnick seems to be enjoying the fame and limelight..

"Hackers" today are not as indepth as they were in the past. Whether that's a good thing or not I don't know. I think it is a reality in that there is just so much and wanting to learn it all, you really only get a few seconds here and a few seconds there. (whoever said that computers were a time saving device should be shot! I haven't wasted so much time in my entire life until I got hooked up and connected! )

What do you think?

I realize that people will have varying opinions in the matter. Please keep the ad hominim attacks to a minimum. Everyone has the right to their opinion, no matter how stupid it may be

Many hackers (who also view themselves as security experts) are pissed off by the landslide of new people, products, and money entering into the security space. You hear about how things are changing (for the worse), and posers, and blah, blah, blah. Hell, you even got hackers releasing [nothing short of] press releases about why they're leaving the scene because the scene is just too different nowadays.

Yes, it's true there are many more people becoming security "experts" (using this term as loosely as possible) every day. And yes, it's also true companies are running to the marketplace faster than Whitney Houston to a line of coke. And yes, it's also true that corporations are driving this trend by pouring obscene amounts of money into these companies without understanding their halfass solutions. But, honestly, you really can't ask for a better situation. If blackhats aren't *embracing* this trend, they're missing the boat.

Of course, the obvious benefit: The more people pulled into this space from various other backgrounds, the lower the average security administrator's level of knowledge becomes. This "dumbing down" happens for several reasons, but the most significant is the way in which these new generations of security administrators are educated. Typically, they are forced into these positions by employers that realize they desperately need security staff. So, they move some random people into said positions. Not uncommonly, network admins or sys admins that sucked in their previous positions. Now you've got some guy sitting there trying to figure out which way is up, so where do they turn? To vendors. Be it a vendor of hardware/software solutions, or a vendor like SANS (selling propaganda, errr, I mean, "education" about open source products backed by commercial entities which SANS purportedly invests in).

Since vendors are offering solutions criminally acute in focus (especially compared to the visibility required to solve the "problems" said vendors are trying to address), the vendor "educates" the willing client about the threats the client faces and how the vendor can save the client's world. Since many admins have been leaning about hackers and threats from the perspective of vendors who are trying to make a sale -- typically sales people or technical sales people like system/field engineers, like the blind leading the blind -- they have no concept of the *true* threats they need to be concerned about. It’s not uncommon to hear people talking about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote access to a system. Good, keep focusing on these "attacks." (And YES. ALL the other attacks these vendors focus on are just as lame as these examples). Typical hackers these days need to worry about power surges more than security tricks.

Although it grates on the nerves of everyone who knows better to see all these pen testers running around selling Nessus reports, or hear security admins spouting off illogically about how they use product XYZ to accomplish all these lofty objectives... Well, it also gives you a wide open map into the small areas they're actually looking into protecting, and the vast open areas they have no clue how to protect, much less watch, or even what the hell to look for if someone even did notice an irregularity.

So bring it on! We need *more* new security people and more new products to create more confusion, ambiguity, and false senses of superiority. Think security consoles only being released for Windows anymore doesn't signify anything?! Come on out, the waters fine!

CREDITS GO TO : Uncle Scrotora at hushmail