Security, Community, And Me
News.com has an article on pretty much what I was talking about yesterday: the problems of disclosing – and not disclosing – security vulnerabilities. And to clarify, if there’s one thing the anti-sec hacking groups like el8 got the security community to consider it was the possibility that no exploit code would leave black hat hands, leaving manufacturers and InfoSec pros alike in the dark. The News.com article suggests that while that’s not quite the case a year after the White Hat Hate/Project Mayhem hoopla of last summer, roughly 90% of all exploits are kept “private” by black hats.
I always seem to get back into security around this time of summer. Maybe it’s the buzz around conventions like DefCon, which I’ve never gotten a chance to get to, and maybe it’s the direction my summer work always seems to take me – or I take it. But security, and the security community, are an endless source of fascination to me.
When I was younger, and known about my school for going to “hacker meetings” (really just my humble local 2600 meeting, a motley crew if ever there was one), students and teachers alike would ask me in hushed tones “what are those people really like?” I hardly consider myself an insider, but I’ve met some infamous folks and spent all to much time with “everyhackers,” the average Janes and Joes of the security community. I can say that they are at once intriguing and appalling, inspiring and frustrating. You know, just like most people.
Everyone in the community has something to prove: underground kids who can spend their days coding exploits ‘cause they live in the parent’s basement and can pass their classes without batting an eye, throwing up their prowess to their professional elders; the pros themselves, now perpetually on the defensive; the rare female hackers, lording their sexuality over awkward geek boys; and the arrested development cases that are the male majority of the hacker world, ultra-competitive in this one turf they can comfortably claim.
The (tamer) conventions I’ve been to are a frenzy of attitude, in-jokes and cliques, hittings-on, drinking, drugs, and everything else you’d expect from a self-styled underground. And yet, there’s a certain harmlessness to it all when you realize that these are the people who never got invited to the high school parties finally getting a chance to cut loose amongst their own. Of course, I’m over-generalizing. I’ve met enough hackers who have an idiomatic distinctiveness to them, who can at once be a part of the community and observe it cooly, and often with a sense of humor. But most get swept up in it all, and it’s easy to have that happen. Enjoyable, even.
So why do I write about all this from a detached vantage point if I have a certain affection for the hacker community? Because for one, my involvement and interest in it has waxed and waned, though I’ve assumed for a number of years that my professional life would inevitably involve InfoSec matters. And secondly, because there is a crassness to the community that I find gauche at its least and downright ugly at its worst. I’ve yet to make the pilgrimage to DefCon because the prospect of hundreds of hackers salivating over strippers and whores, addled on watered-down drinks and fired up from self-serving debates on the conference floor has a kind of information-age-Hunter S. Thompson ghastliness to it.
I’m also not what I would call a real hacker. I can’t (at least not often) look at code and tell you where it’s exploitable. I can’t look at long strings of hexadecimal and translate it in my head in less than five minutes. Perhaps those aren’t the best examples, but what I mean to say is that I just don’t have that preternatural instinct for computation that makes math geniuses, grand masters in chess, and great hackers. Which is not to say I don’t have my strengths in the field, but just that I don’t measure up to the criteria of a truly brilliant hacker – then again, few do. My gift – and my true interest – is having a combination of technical understanding, social and political instinct, and a general ability to synthesize, in the rhetorical sense, the varied disciplines that converge around Information Security. I may not be picking exploits out of djb’s code, but damned if I don’t have aspirations to write policy that would please hackers and Feds alike. You could call me a hacker of policy. Or the gangster of love, that’d be fine too.
So that’s my love-hate relationship with the security world, naive as it must seem not even being a professional in the field. But it’s a unique sport, one in which amateurs shape the game, pros struggle to keep up, and the refs don’t know what the fuck is going on. Why I insist on taking it up again and again in the heat of summer is just as puzzling to me as the sport itself.