It’s a tough time to be a CISO in an enterprise of any size these days. I don’t want to be a whiner, but when you look at the challenges being faced by the folks who play permanent defense, things are looking pretty bleak. APTs to the right of us, auditors to the left of us, onward – onward – into the Valley of Compliance…
But that’s not what I’m here to talk to you about today.
I’m here because so many in the “security researcher” community have become -- well, hypocrites.
Lemme s’plain. No, it’s too much – I sum up.
When the CarrierIQ story broke, what happened in our community? People went berserk. “How could they do this?” “It’s EEEEEEVVVVIIILLLLL!!!” “They should be prosecuted to the fullest extent of the law!” and on and on and on.
And for what?
For something that the vast majority of them would have been cackling in glee about had someone in a black t-shirt and questionable personal hygiene been presenting it in a meeting room of a hotel in Vegas. Had the CarrierIQ tech been revealed by a “researcher” it would have been seen as further evidence of the total incompetence of the carriers, phone manufacturers, and phone OS providers. Had a “researcher” presented CarrierIQ, anyone who said, “Gee, this tool could be used for underhanded and devious things” would have been scolded into submission on the Twitterz because, after all, The Community Needs These Things.
What gets this CISO angry (amongst diverse other things) with the community is that we have developed a serious case of situational ethics. We readily explain away the things we do that could negatively impact the security and privacy of millions of people as “projects”, “proofs of concept”, and “just plain old hacking”, but throw a complete conniption fit when a corporation does the same. Are we that special? Or does being a hacker make one impervious to irony?
Look – I expect hackers to be hackers. I know that any piece of technology I own or gets deployed in the factory is going to get hacked at some point. I accept that. I also expect companies to be companies. I know that anything I buy for myself or the factory probably is gathering information for the vendor to use in marketing, etc. I accept that.
So should you.__________________________
The Angry Angry CISO, when not writing as part of anger management treatment, is the head of information security for a medium-sized enterprise somewhere in North America. The Angry Angry CISO speaks only for the Angry Angry CISO.