Thanks. I am not yet an old geezer, just a curmudgeony late 20-something who wasted too much of his youth on the Internet. I’ve been on the Internet since ‘93, so I did get to see some of the fun. But now the Internet is SERIOUS BUSINESS.

What a terrific post to read first from your blog.

Oh man, I totally remember trying to find the magic bit that was broken in exploits on Bugtraq back then. It at least motivated me to learn enough C to get things to compile, so I suppose it was a good public service. =)

I like Marcus as a human being, if for nothing else, for his awesome side work as a fetish photog, but I’ve watched and read several of the anti-disclosure rants as well, and they just don’t compute.

If nothing else, the history above shows that both approaches have been tried, and neither have made much of difference. Looking to the next evolutionary leap forward out there somewhere.

As for Ranum’s talk, I didn’t agree with him when I saw it at BH 2000, nor do I agree with it now. He had been saying the same thing about full disclosure since 1998 or so. Script kiddies suck, but they were nothing compared to today’s malware/cybercrime threat. Did the IIS WebDAV, WMF, ANI, or the Microsoft Word doc exploits that popped the State Department come from Bugtraq? No. These attackers are finding their own vulnerabilities and writing their own exploits and tools. And they aren’t so kind as to share them on a public mailing list, let alone inform the vendor and responsibly disclose.

Pre-cybercrime hacking by skilled underground groups, full-disclosure, and script kiddies were all part of the wake-up call that the Internet slept through. Why did no one think that something was seriously wrong when teenagers were breaking into government agencies? Were those specific teenagers the problem? Or the fact that teenagers could break into the DoD over the Internet? I think the latter.

That is part of the reason why the current state of Internet security can best be described as damage control. More on this in a future blog rant.

Two small quibbles: you might’ve included Marcus Ranum’s 2000 Black Hat talk as the clarion blast that foreshadowed the “responsible disclosure” movement — it pre-dated the OIS by two years, and Microsoft’s SDL by about a year-and-a-half.

Also, the “global cybercrime is more profitable than the illicit drug trade” meme is without basis in fact. Ryan Paul debunks that notion here: http://arstechnica.com/news.ars/post/20051129-5648.html (That said, cybercrime is indeed a good business to be in, even if it doesn’t generate as much revenue as drugs. It is almost certainly more profitable.)

“But for us, when an outsider started to change the system programs, that meant he was showing a real interest in becoming a contributing member of the community.”

I think he’d find things have changed slightly these days. Then again, I guess it depends on his definition of ‘community’ and ‘contributing.’

+5 points for including Lopatic’s NCSA exploit. He’ll find this in two months when ego-surfing and smile to himself. Hey Thomas! :>

It is nuts. It is scary. Breeding out the ‘old guard’ wil happen also, as it’s a social and geo-political problem. Incentives and penalties will need to be introduced per country. Once RIRs get auth and sBGP, DNSSEC happens we may look at penalising entities. Virtual hosts, servers, networks and storage will also drive fluidity yet static nature of ‘virtual nodes’ transacting with each other.

Just a though…