Breaking news: "Internet Lawyer" clueless

I have started and deleted this post three times because I am so fired up.  I ended up just making a comment on this guys blog, but I thought I would post it here since there is exactly 0% chance he will approve it.  The post is by an internet lawyer and points out how 'nasty' Defcon is and that it should be 'shut down' if it doesn't 'clean up it's act'.  I am tense.  Very, VERY tense.

OK, here is my comment:

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from hackers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... hackers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

Thoughts are welcome from the peanut gallery.  Remember to read his post first, and the comments.  I do give him credit for allowing a few comments through.  Gah, sorry, I am just astounded that there are people still like this in the industry.

EDIT:  Ok, I was wrong.  He actually did publish my comment and published his own rebuttal, and my respect for him increased somewhat.  Nonetheless, it's that old argument: if you make owning a gun criminal, only the criminals will own the guns.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.


profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites