The Shock Rockers of the IT Security Industry
April 2, 2008
Shock Rock: borderline musical idiom. The performers usually play something relatively extreme as compared to the mainstream of the contemporary music. The main stimuli is visual, as shown in the various acts live performances (or “shows”). Usually, the music is not that good and most of these bands prove to be nothing more than a one trick pony. The amount of shocking acts in public permitted by law is deterministic, the genre is quite unpopular now as most of what is to be seen has been shown already back in the 80s. “How is this related to the IT Security industry?”, the astute reader might remark?
Today I had the dubious pleasure to use a port scanner made by a known security company. I will give no names but trust me you have heard this one and maybe bought a book from them or two. It is your typical win32 software, version X.Y, with X being much much greater to 1 (therefore, been revised and improved with every iteration. Running a portscan towards a firewalled VM, it reported filtered ports as open, while nmap was displaying them as closed or filtered. At first I thought that there was something wrong with my firewall configuration. Upon further investigation, when the tool was trying to make a simple connect() scan, reporting timed out ports (-j DENY) as open.
If you are familiar with Bruce Schneier, in his “Secrets and Lies” book, introduces the “snake oil” merchants. Unfortunately, even with a slightly more security educated IT community, frauds like them described in the book can often be encountered in the field. Like our pals from [CENSORED]. Hey guys, is it too much to ask that your connect() portscanner (with a version greater than 1, mind you) at least expects the presence of a firewall someplace? I am sure that quite a lot of pimping goes into your books, I would not know. I have bought one of your books back in 2001 something and it was a terrible waste of money and time. To cut a long story short, you have a bunch of clueless posers with a good PR department charging the hell outta their clients and presenting themselves as authorities within the IT security industry. Unfortunately, the shock rock effect of their material, the overestimation of how “them pesky hackers are out there to get YOU“, soon will wear off and those morons will be exposed for the frauds they are.
April 3, 2008 at 1:13 am
Ahm! Security tools.
Some people “become” security experts because they know the “tools”. They make asumptions and decisions based on “what the tool says”. And you cannot deny those words with knowledge, because behind the “tools” there is an empty space where the background knowledge should be.
I still remember my mother’s husband saying that I was trying to hack his computer because a “firewall” said that. And the only proof I got was a one line entry in the “firewall” screen showing the router IP and “possible attack”. No packets, no difference between source and destination IP. Nothing that mixed with knowledge can result in some kind of analysis of what’s happening.
Now I enjoy of “same root password” in all systems mixed with a bunch of firewalls we “have to” cross everyday if we want to work (God save ssh tunnels). This is salted with a bunch of critical software running as root without any kind of measures to avoid stop the effects of a bug when you run software as root.
April 9, 2008 at 2:54 pm
Too many points in your comment my friend,
I am not getting exactly what you are trying to say in the last paragraph of your comment 
i) Do we have to dissect and reverse engineer all the tools (with FOSS tools its much much easier, you just read the relevant portions of the source code) that will be used into day to day operations? I mean come on, this is no nuclear physics instrumentations, its a fucking connect() call …
ii) Tons and tons of security tools are just CRAP. False results, no advanced user mode, overstated scope of use.
iii) Please elaborate a bit