Security Pro Hypocrits

Well, we all know that last week was the 18th revision of the largest “hacker” conference in the world, DefCon, and its spin-offs Black Hat and BSides. I had a great time and met a lot of awesome people. And, as I’ve mentioned, lined up 3 new jobs. 🙂 But, I have an issue.

It won’t be news to anyone who’s been going for a while that DefCon has gotten more, well, corporate, especially since the inception of Black Hat. More and more of the speakers are well groomed “security researchers” from various software companies who are trying to drum up business. More and more of the attendees seem to be the type that do their 9-5 job and go home to watch a ball game rather than spending all night coding or using a soldering gun. That’s okay; I want anyone who is interested, in the tech or the culture, to be welcome.

But with the shift comes an apparent shift in, well, philosophy that disturbs me. To whit: all these corporate and government folks go on and on about how to Assure the Confidentiality, Integrity and Availability of their employers’ data, while openly claiming that individuals have no right to or expectation of such protection.

I can’t tell you how many times I heard speakers claim that “Privacy is dead” or “If you put anything on a social network, you should assume it’s public” or “Allowing anonymity is too dangerous.”

What. The. Fuck.

So it’s perfectly okay – indeed, expected (“due diligence”) – for big companies to keep what they’re doing secret, but practically a crime for individuals? Standard practice for a corporation to rely on authorization / access controls, but too much of a burden for a consumer service? A horrendous crime to copy a Lady Gaga song without permission, when people assume they have carte blanche to copy others’ images, blog posts, tweets, or documents and put them in their Power Points for Black Hat?

One speaker – it won’t take you long to figure out who – spoke of the dangers of using so-called “darknets”, including Tor. (In fairness, he mentioned that Tor was not technically a “darknet”, whatever that is, but he applied all the same lessons to it.) It’s true – using Tor or P2P or mesh networks, etc., has risks. There’s the risk of being pwned, or DL’ing malware, etc., and the risk of legal action, both for what you do and what you enable others to do. His conclusion? “Don’t use them.” Essentially, he seemed to think they were only for bad guys.

Oh, and his reason for believing this was partly based on having examined the traffic on Tor exit nodes, which is pretty clearly a violation of federal wiretap laws.

That aside, did he ever think there were legit reasons for using Tor? Like, journalists / activists? Legally gathering corporate intelligence? Law enforcement and counter terrorism? To get around national censors in countries like China and Iran? To not get harassed? Keeping controversial viewpoints from being associated with, say, your LinkedIn account? And what about penetration testing?

The same goes for Bit Torrent, Freenet (why were you surprised that I’d heard of Ian Clarke, dude??), Gnu Net, etc.

People: information security is not only the right of wealthy corporations (I include most governments in that class). It’s the right of anyone who chooses to take advantage of it (like any right). Frankly, I think a neo-con government data mining everyone’s email is a bigger threat to our democracy than a hacker joy riding a corporate network.

The problem is that A) few people are paying infosec pros to protect the data of individuals and B) it’s hard. If an employee violates rules on protecting data, you can fire, sue or jail them. What are you going to do if a Facebook friend reposts one of your pictures? At most, you’ll ask them to take it down – by which time it’s probably been shared, Liked, downloaded, saved, emailed and cached a million times.

That doesn’t mean we should just write it off.


One Response to “Security Pro Hypocrits”

  1. itza11hyp3 Says:

    I think it’s those mindsets that have gradually taken away an individual’s right to privacy. To wit; I’ve been taking time to help more and more individuals and small businesses with their security; all of them tend to be stepped on or underprotected because of price points.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: