Bemoaning the death of Hacker Culture
"In academia, a hacker is a person who follows a spirit of playful cleverness and enjoys programming. The context of academic hackers forms a voluntary subculture termed the academic hacking culture."
This is why I got into the security industry. I like to take things apart to see how they work, break things, and try to put them back together. After college, I could have easily gone the route (which was much higher paid and more high profile at the time) of a full time programmer. I chose to take a route where I would make less, but do much more interesting things on the job.
In 2007, I get the feeling that professionals are entering the information security field to become some sort of a "digital security guard". Let's check the definition again:
"A security guard or security officer, is usually a privately and formally employed person who is paid to protect property, and/or assets, and/or people. Often, security officers are uniformed and act to protect property by maintaining a high visibility presence to deter illegal and/or inappropriate actions."
I think there are too many InfoSec professionals looking at their job duties as sort of an IT rent-a-cop. Don't mistake what I am driving at here, I am by no means saying we do not need a monitoring function as part of a wholistic information security practice! Let's take an example to further illustrate my point, take the job of an IDS/IPS analyst.
As a subscriber to the Hacker Culture School of Information Security, if I get an IDS/IPS analyst job, the first thing I am going to do is take my IDS/IPS equipment apart. Blast it with all sorts of horrendously mangled traffic, see what gets by it. I'll try to understand what types of shellcode can defeat its monitoring capabilities, perhaps it can detect covert channels by looking at the randomness in the distribution of character sets. Perhaps it can't detect a simple shell that is XORed with a predetermined value. You get the idea. I can then apply what I have learned about the chinks in the armor of my primary defensive weapon, so I know know which attackers are going to be able to defeat my tools.
A subscriber the Rent-a-cop School of Information Security will likely spend his first month implementing signatures to catch employee's playing fatasy football. He'll push for even more draconian policies to restrict something that is actually useful to the business and poses little to no threat, such as not allowing employees to use a non-standard file compression. All the while, the 21st century digital security guard quietly plays fantasy football and runs winrar on his corporate laptop. Meanwhile, the Canadian Mafia (Yes, there is a Canadian Mafia, No it's not always the Russian Mafia) snags 21 million credit cards through his IDS/IPS he hasn't bothered to understand.
Well, enough ranting for one year.