Comment
Wh1t3Rabbit
on ‎02-01-2012 09:15 AM

  Well now, that certainly is a stance against much of the established security community which prides itself on the discovery and exploitation of 0-day security bugs.  An interesting perspective, but I have to tell you I do agree with a significant amount of what you're saying - all break and no fix makes for a very poor culture of destruction.

 

  I'm not sure that information security takes themselves as seriously as other fields of legitimate research, so that many of the rules simply don't appear to apply as you've stated.  This actually has been something I've been writing and speaking about for a long, long time on my blog (hp.com/go/white-rabbit).  If we're just a bunch of 'breakers' we're really not solving any problems as you've pointed out.  Security researchers are infamous (this is not a good thing) for "dumping off a vulnerability" on the doorstep of a company or organization, then threatening to expose them for having it in their code or architecture.  Yes, it's the company's responsibility to remediate or ensure it doesn't happen again, and yes many organization simply act as if they don't care and drag their knuckles ... but this falls back to the security research community.

 

  Go to any conference, security conference that is, and look around.  The talks that get the big crowds are the "How I hacked ... and you can too", and the ones where people are offering real solutions to serious problems are sparsely attended ...why is that?  It's part human nature - we all can't turn away from a train wreck -and part need to be in the spotlight and 'cool' I guess.  Or maybe we just need to demonstrate our mental superiority?  If that's the case I suggest we do that the way your labs are doing it - but solving problems that plague organizations globally.  Solving real security issues, on massive scales is where the real security research should more keenly focus today.  Just my $0.02 ...

 

/Wh1t3 Rabbit.