Deconstructing the Hype
As a security consultant, I get a lot of e-mail about every topic
in the security arena. Running a popular
I tend to get more than most, especially with new product advertisements.
For the most part I give them a once over before deleting them, just
to keep up with the latest names in the field. Every once in a while
one will strike me as odd or noteworthy for one reason or another.
Some grate against every last nerve in my body and lead to rantings
I call articles.
On November 26, 1999 I received mail about a new Windows NT security
scanner. I shared this with a colleague who quickly shared his
frustration in reading product announcements like this. We both
see eye to eye on marketing hype, especially hype revolving around
the hysteria that hackers will invade your server, delete your files,
and kick your dog. The solution is always the product being advertised
which always seems to have been invented by ethical hackers or
anti-hacker experts. Nothing is invented by 'security professionals'
anymore. Looking at the email, something jumped out: (names have been
left out as this is a bigger problem than a single company)
xxxxxxx SOFTWARE - xxxx: NT VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
Plug NT's holes before they plug you. There are many hundreds of known
NT vulnerabilities. New ones are found daily. You just have to protect
your LAN _before_ it gets attacked. xxxx is a new tool that solves your
NT security exposure in a completely unique fashion. xxxx is not just a
shrink-wrap product. It comes with a responsive web-update service and
a dedicated Pro xxxx team that helps you to hunt down and kill Security
holes. Originally built by anti-hacker experts for Secure Government
sites. Download a demo copy before you become a statistic.
One line jumped out at me:
"Originally built by anti-hacker experts for Secure Government sites."
This one simple line says so much more. Unfortunately for them, it
says many a negative thing and leads to more questions and harder
earned trust. What seemed like a good marketing line then often ends up
doing more damage than they could imagine. Security professionals are
often cynical and skeptics by nature. As such, they read into the small
details as their profession often demands. Sentences like this make
us wonder if they are just lying about a product's origin, or do they
realize this undermines the integrity of their product. Either way,
the company loses.
"Originally built by" leads to an obvious question. Who builds
and maintains it now if not the 'anti-hacker experts' that originally
did? A common tactic adopted by many companies in and out of the
security field is to hire well known and highly respected professionals
to build a team/practice/product/company. Once a solid name and positive
reputation are built, they move on to bigger and better pastures. The
minute they leave, a new world evolves leaving the team-product in
different hands. Often times the deep impact of the salary or fee
required to bring in the big names is seen in the low pay of the second
wave. That low pay often translates into low skill as well.
"anti-hacker experts" makes you wonder if they mean experts in
anti-hacker ways such as firewalls and security mechanisms. Or perhaps
they mean experts on hackers which in turn makes them 'anti hacker'
and this is just the blend of words to convey that idea. The use of
"anti-hacker" suggests they mean something other than "security experts"
so we can conlude their original product designers were "anti-hacker"
in the sense that they knew hackers, their techniques, their philosophy
and more. Anyone with passing familiarity of hackers and security
would quickly doubt this claim. Every group or article or company
that claims to be an expert on hackers tend to disagree with one
another. A general lack of information or ability to adequately
address the problem suggests these people are far from experts when it
comes to hackers.
"for Secure Government sites" is a very curious conlusion to
the sentence. Why is 'Secure Government' capitalized? Is it some indication
they are referring to specific machines with a particular named
designation? That seems to make no sense. Perhaps the marketing department
was over anxious in emphasis of their product. Running with that idea,
we can assume they mean "secure government sites". Once again, this is
a curious claim. If they are talking about proven secure machines utilized
by our government, why not call them by name? "for SIPRnet" has a much
better sound and at least makes it sound more legitimate. But they
can't claim that if it isn't true, because it is a specific network
with a well documented trail of who worked on it. So they must mean
secure government servers in general. This claim is purely absurd as
we see dozens of government and military computers compromized each
week. The illusion that the government must run secure servers has been
resigned to nothing more than jokes told by hackers and security consultants
alike. This claim is more amusing when looking at a list of the government
servers that have been defaced, along with
what operating system they were running
at the time.
Yes, this seems like an awful lot to read into a single line of some
product advertisement. However, for those involved in the security
field who are tired of hype and mystique being built around old
illusions, it becomes a personal insult.
Brian Martin (firstname.lastname@example.org)