[Dailydave] Some slides for a keynote

Michal Zalewski lcamtuf at coredump.cx
Tue Apr 8 11:09:34 EDT 2014


> https://docs.google.com/presentation/d/1Sv8IHkBtBEXjSW7WktEYg4EbAUHtVyXIZBrAGD3WR5Y/edit#slide=id.p

Interesting. I have argued in favor of this position when it comes to
vulnerability research: people like to paint their motivations in a
variety of ways, but most of the actions they take are best explained
by just wanting to see the world acknowledge your skills. Being in the
headlines or in the limelight at a major conference can give you quite
a powerful fix. And because most journalists struggle to tell good
research from bad one, it also provides a powerful feedback loop that
can prevent you from improving your skills.

In any case, I agree with you that this applies to attackers. The NSA
/ GCHQ materials published to date reminded me more of people bragging
on IRC in the 90s than a self-composed organization focused on
well-defined goals. Of course, we should keep in mind that materials
we see were cherry-picked out of a huge pile: the ones that make them
look ordinary do not make a good story.

As an aside... in almost any sufficiently large organization, security
teams are involved in internal investigations of criminal activity,
help take down down carder networks, do a night raid or two, and
participate in other things that get your blood pumping. Still, they
show more restraint than the intelligence community; saying things
like "I hunt users" would get them in trouble even if it is
superficially true. I guess that organizational incentives matter,
too.

/mz


More information about the Dailydave mailing list