A few humble observations regarding the current state of InfoSEC

Steven M. Christey cross-posted these questions to a bunch of InfoSEC lists. Here’s what I think.

1) What is the state of vulnerability research?

It’s piss poor, on average. There are a few standouts but, for the most part, it’s largely comprised of blowhard, grandstanding fools.

2) What have researchers accomplished so far?

There are a few standouts who are doing unique research and there are a bunch of brokeback-hack-alongs who content themselves with drilling little holes around the big holes already drilled out by the aforementioned standout researchers. What do I mean by this? OK, one researcher decides to go in and really figure out what makes PROTOCOL_X tick and writes a nice tool that automates this testing. Then 550 researchers snag the free version of the tool and find 50 related bugs. They don’t care that all they did was crank up a GUI tool that only required that they point it at an IP and click ‘start’ – they’ll happily prance and parade around their trivial little lemmas like they just did something.

3) What are the greatest challenges that researchers face?

It would *seem* that their greatest challenge is getting their names published. These ‘researchers’ often bitch and whine because vendors don’t “take security seriously” and won’t “release a patch for this G-dawful flaw that I just found”, etc. This can all be loosely translated to “They’re not paying attention to me, publishing my name and showering me with accolades”.

4) What, if anything, could researchers accomplish collectively that they have not been able to accomplish as individuals?

I don’t know and I don’t need to know because it’ll never happen. Even (especially?) dummies are smart enough to realize that the larger the group of researchers, the higher the chance that they end up on the short end of Zorn’s lemma.

5) Should the ultimate goal of research be to improve computer security overall?

No! Let’s be honest here. The good researchers do *it* because *it* is in their blood. Hacking is an ART FORM, and if you don’t get that, then you won’t get anything else here today (or any other day). Hackers (let’s quit calling them ‘Security Researchers’ shall we? Good Security Researchers are hackers and hackers are artists, so says I) were born figuring out how scheisse works and they just happen to work with the MEDIUM of internet technologies. Tag research with some altruistic goal and they’re prone to go apply their talents elsewhere. You may be saying “but so-and-so has stated that the goal of all their research has been to increase computer security for mom, pop, and little Tommy…blah blah”. So-and-so is lying or they are already independently wealthy from all their previous research and now deceive themselves that their goal was something other than ‘scratching an itch’ or making money.

6) What is an “elite” researcher? Who are the elite researchers?

I think I already alluded to this in item 2 (see the researchers doing unique research…). They are kind of like the mafia. If you live in the neighborhood, you know who they are.

7) Who are the researchers who do not get as much recognition as they deserve?

I don’t know. I’m sure there are some but if they choose not to be recognized then leave them at that. Researchers get as much credit as they want. Even the brokeback-hack-alongs get recognition. The true artists who don’t get recognition do it by choice, imo.