Krypt3ia

So lately I have noticed the whole lot of drama surrounding the Infosec scene and I am frankly fed up with the crap. All of the posturing and the whining has got to stop before anyone takes anything seriously outside of our own insular, and functionally autistic community.

We, that is not the royal ‘we’, as a whole, get it in the Infosec workspace.

They, as in ‘the real world that certainly outnumber us by exponential numbers’ do not get it.

Simple really. Now I want you to understand one more thing…

THEY (the real world outside of the Infosec sphere) WILL NEVER GET IT AND WILL LIKELY NEVER CARE SO QUIT YER BITCHIN!.

Whew.. I said it.. That’s been building up like a shaken can of coke with a Mento in it.

I guess the best navel gazing on this issue I have seen of late is the post by jhaddix called “Doing It The Hacker Way” wherein he comes to the same kind of conclusion I have; stop the douchbaggery and just deal. I have to agree whole heartedly with this statement, however, I would like to add some more perspective to the whole debate here on the “Them vs. Us” thing that seems to be the mindset of the Info/Offsec communities as well as some observations.

So here goes.

• I have said it before and I will say it again now. People as a species, are poorly equipped to understand and react to long term threats. Just look at Japan and Fukushima to illustrate this. Building nuclear facilities the coast of an island prone to seismic activity AND tsunami’s? Yeah, perhaps not the best idea. How is that for long term threat cognition? Now think about this and computing/networking where the concepts of threats are even more arcane to the general populace. Yeah, it has all the makings of a disaster.

• Now, if you have a group of people who are unaware and unable to comprehend the dangers AND they happen to comprise a companies hierarchy, how do you get the issues across to them and elicit that comprehension and resulting action to mitigate the problems? Furthermore, how do you get them to continue to understand and be mindful to prevent the same if not more issues in the future? The current answer seems to be to fuck the daylights out of them with every tool and trick you have. Rape and pillage, scaring the living shit out of them.. Or, to be the Cassandra who says that all of these things can be done and likely will. Neither of these approaches my friends will be enough to change the evolutionary process to MAKE them really care. So breathe for a while and contemplate.

• Yes, you are some of the smartest people in the room, but, remember even smart people can be eggheads who can’t park a bicycle right.

• This is a young ‘industry’ however, you need not act like a juvenile.

• One must admit that no matter how many times an assessment is carried out and things are found/exploited there are ALWAYS more vulnerabilities being introduced. You will never get them all and the client, if they understand this, will become inured to it.

• Attempting to subjugate companies, and people to your way of thinking by rooting the shit out of them will only serve to get you escorted off the premises and land you MUCH less work. NO ONE will ever get to perform all of the tests they want to (carte blanche) at any company. There will always be caveats to testing/assessments for clients simply because they do not understand the threatscape as you do… And don’t forget, they may not really care.

• In the end, companies only have to comply with good faith efforts “Due Diligence” to supplicate the likes of the government on security issues. This is why most regulations are toothless. If you really mandated true security compliance, companies would never be able to sustain the weight of that standard and fail.

• The general populace doesn’t care about their emails being popped and spam/phising attempts being sent to them. More than not, they do not even know or care that such events like Epsilon even happened and if they do get an email from company A that their PII was taken, they will shrug it off and forget about it. Once again, they do not comprehend the ramifications of what “could” happen to them from such a breach and won’t unless it does happen to them. Once it has happened to them though, they have little recourse to force any company to do any better on security, just as much as the Infosec community attempts to and finds frustration in.

• “It’s human nature stupid” This is your mantra now if you want to stay sane.

• Lastly, FORGET worrying about corporate America (unless that company holds key infrastructure networks such as NASDAQ/NYSE/TELCO/ELECTRIC) and worry about the government and military security postures. If you really want to worry about shit, worry about their being secure. After all, if that shit goes down it will be pandemonium out there in the world. Ask yourself this question.. If the power went out for a year or more, do I know how to survive without my electronic shit? Can I even jury rig a pump to get fresh water? If you can’t then you’re fucked. So worry about that instead of “I just wanna break shit because I know I can and you all need to learn!”

Sure, there is a place for the discourse on making companies see the Infosec light, but, there just seems to be too much yammering and complaining and not enough cogent thought on how to really effect positive change. PTES will be a great help in the effort of bringing a standard to pentesting, but, will that in fact get that corporate horse that you brought to the trough to actually drink? I don’t think so. We ALL have to have a little more common sense about things and have a better understanding of not only human behaviour but also herd mentality. Without being able to manage the elephant, we will only get our little green VW Beetle sat on and crushed.. Whereupon we will rock back on our floppy Infosec clown shoes crying “Woe is me!”

K.