The worlds of information security and professional wrestling really aren't all that different.
<pause>
On the surface, the preceding statement may seems absurd to some, but looking at each realm from the perspective of an observer with a decent working knowledge of both "industries" can provide several examples of parallelism. In general, both center around conflict resolution as an end-game. Aiming toward that end, both also provide various levels of vulnerability management and incident response that occur during any particular situation (also known as an "angle" or "program" in pro wrestling parlance) and often involve different levels of drama, strife, and of course, entertainment.
As the Internet became more mainstream in the early to mid-1990's, many professional wrestling fans who were privy to behind-the-scene knowledge congregated on USENET's rec.sport.pro-wrestling (aka RSPW) to discuss current and potential storylines, in-ring action, and the politics involved with the business side of the industry. Perhaps ironically, RSPW was one of the more popular newsgroups during this time even though the "typical" professional wrestling fan had (and still has) been stereotyped as being of lower-than-average intelligence with a slim chance of being able to communicate effectively, especially over a medium like the Internet with providers as complex as AOL and Compuserve (*cough*). Much like today's Twitter, where information security professionals and enthusiasts share news and short bursts of wisdom (or idiocy) in a public forum, RSPW subscribers were highly active on a daily basis, and at times the conversations mirrored the tone and attitude of professional wrestling itself. Over time, some newsgroup posters evolved into personas, emulating the "faces" (good guys) and "heels" (bad guys) similar to the protagonists and antagonists in professional wrestling itself.
The information security industry has gone through something similar over the past several years. As previously mentioned, Twitter has become one of the industry's favorite ways for companies, organizations, researchers, and enthusiasts to communicate in near real-time about dozens (hundreds?) of subtopics on an hourly (per-minute?) basis. The increase in frequency of communication has often times led to an almost free-for-all feel to the infosec Twitter community, and it's probably not much of a stretch to assume that certain social "roles" or personas have either intentionally or unintentionally been assumed by some security professionals, whether as an accurate reflection of their true personalities, an extension of their personalities into exaggerated personas, or flat-out (again, to use a professional wrestling term) "gimmicks" to increase their popularity (certainly @attritionorg has been known to intentionally add some flair to their tweets).
In the context of professional wrestling, the word "work" is sometimes used to describe the common in-ring action of the actual matches, but it also has another meaning that is less known to the general public. According to the "Glossary of professional wrestling terms" on Wikipedia:
Work (verb) to specifically and methodically attack, especially a single body part. To "work" on a body part (i.e. an arm) would be to repeatedly use force on that part, until it is damaged enough to be used in the finish of the match. Also, the act of deceiving or manipulating a person or persons, which may or may not be done to preserve kayfabe (which is defined as a "term used to describe the illusion (and up-keep of the illusion) that professional wrestling is not staged".)
When wrestlers, managers, promoters, or anyone involved with the "inside" of professional wrestling "works" fans, they are essentially attempting to create and/or maintain the perception that what the fans see is, to some degree, "real". An extension of "working" has also been known to happen in backstage politics within wrestling organizations; in some cases, certain backstage works have become legendary within the industry, and others have been debated for years as to whether or not the situation in question was planned in advance or was a "real" event (also known as a "shoot"), such as the industry-famous "Montreal Screwjob" involving Bret Hart and Vince McMahon in November 1997.
While members of the information security "community" (a word used loosely here, as the author prefers the word "arena" as a substitute) may take some offense at the notion that "real" events related to security could be compared to "works" in professional wrestling, there have been several well-known events or topics in the security industry where many of the elements of a successful wrestling angle are present: conflict, drama, strife, and the one element that keeps people hooked: entertainment. Below are some comparisons between events in the security industry and some classic (or at least more well-known) wrestling angles.
The 2011 AusCERT conference certainly provided its share of controversy when a security researcher used "private" Facebook photos to make a point during a presentation. When Christian Heinrich gained access to the supposedly protected pictures of HackLabs director Chris Gatford's wife, questions of unethical behavior and "how far is too far" were at the forefront of the matter and the ensuing media attention, which resulted in the arrest of an Australian journalist, turned ugly pretty fast. According to those familiar with the situation, there was apparently no love lost between Heinrich and Gatford even before this whole can of worms was opened, so any "heat" that existed between the two men before the conference certainly wasn't going to be resolved by using personal pictures as one of the primary focuses of a presentation.
But let's face it... using personal and/or private photographs in an attempt to embarrass a rival can be quite entertaining (and may occasionally be a part of "doc dropping", which has been around for years), and a similar situation had been used as a professional wrestling angle in 1986 when "Baby Doll", the then-manager of Larry Zbyszko and former manager of Tully Blanchard, showed up on television with a mysterious envelope during interview time with Dusty Rhodes. Baby Doll handed the envelope, which supposedly contained potentially embarrasing photographs, to Rhodes, who peeked at the contents and walked off the set, thus "selling" the idea that the pictures were particularly disturbing. To be clear, the difference between this angle and the real-life situation between Heinrich and Gatford is that at AusCERT and during the aftermath, there were no allegations of blackmail; the pictures in question at AusCERT were in and of themselves not particularly embarassing. Another difference is that journalist Ben Grubb was arrested for "receiving unlawfully obtained property" after the AusCERT conference (see link above), but in the world of professional wrestling, it's apparently perfectly fine to show up on a television broadcast, imply that you will take a particular course of action that is detrimental to another individual unless they give you something of value in return (extortion and/or blackmail), and you will face neither civil nor criminal charges, only the possibility that you and/or your associates may get your asses kicked on television or at multiple house shows at some point over the next three to four weeks.
Well, that never happened. There was no follow-up to the Baby Doll - Rhodes angle; because Baby Doll's real-life husband had signed a contract with the WWF around that time, the entire angle was dropped from television and never mentioned again, much like what is probably expected to happen to the situation between Heinrich and Gatford. In the grand scheme of things, the security community got its yuks and the AusCERT matter has already started to fade from memory in favor of whatever angle(s) the community latches onto next.
When the Payment Card Industry Data Security Standard (PCI DSS) was first introduced in 2004, a mini-war began between those who supported the idea of having a 12-step program to ensure payment card data security and those who felt that the standard was incomplete, ineffective, or otherwise just "a really bad idea"™. While the PCI DSS does incorporate some fairly sound ideas into the standard, the oft-repeated phrase of "compliance is not security" has been uttered by countless "security folk" until they've almost turned blue in the face. To some of these people, the concept of security as a whole is an ideal, and while it is generally accepted as less than perfect in implementation and practice, the thought that a standard set forth by businesses and corporations and not "security folk" (*gasp*) has somehow become a baseline for accepted industry practices, well, that thought seems to make them hoot, holler, cringe, and cry, as if the PCI DSS somehow sold out the entire security industry in one... little... document [*].
Enter Cactus Jack, better known these days as Mick Foley, former professional wrestler and New York Times Best-Selling Author (that plug's for you, Mick). Cactus Jack had long been known as one of the true representatives of Extreme Championship Wrestling (ECW), a small regional promotion based out of the Philadelphia area that prided itself on being "hardcore" in its in-ring wrestling product and storylines. ECW had gained quite the cult following, especially among the aforementioned RSPW and other "smart marks" (or "smarks") on the Internet. In the mid-1990s, WWE and WCW were considered to be the top players in the wrestling business, while smaller promotions such as ECW generally had a harder time gaining mainstream popularity and often struggled financially. Regardless of its difficulties, ECW had one thing in its favor that the other promotions did not: at ECW's peak, its fans were among the most ferociously loyal and vocal of any sports fans in North America. When wrestlers made mistakes in the ring, the crowds would chant "you fucked up!" to show that they expected a better performance. By the same token, the crowds would also chant "you sold out!" when they learned that any of their favorites had made a career decision to leave ECW in favor of the more mainstream, less "hardcore" and better paying WWE and WCW organizations.
Which, of course, is what Cactus Jack eventually did.
In late 1995, ECW's beloved Cactus Jack signed with WWE and began his transition out of ECW. Because the fans had learned of his eventual departure weeks before his final ECW match, they were somewhat brutal in their treatment of Foley's character, showing their overall disdain and antiestablishmentarianism because the "hardcore legend" Cactus Jack was, in fact, selling out. Foley signed for better pay, better structure, and a chance to have his work seen by millions of fans on a weekly basis instead of a few hundred fans here and there at spot shows in bingo halls. Foley's decision was a *business* decision and the one that made the most sense from a financial security standpoint, but this appeared to have been lost on the fans. The peak of their ire was drawn when Cactus Jack appeared in an ECW ring with a shirt with a picture of WCW executive Eric Bischoff on the front and the words "Forgive me, Uncle Eric" on the back, which was directly designed to further the ECW fans' already intense hatred of Bischoff and WCW.
A parallel can be drawn between this wrestling angle and the debate surrounding how the PCI DSS fits (or doesn't fit) in with information security. While not completely perfect in either its design or execution, the PCI DSS appeals to the masses who want or need some type of standard to help them better their security practices. It can be compared to the WWE and WCW products of the time which, while not perfect, were designed for mass appeal and did fulfill the basic needs of *most* wrestling fans. Because the "hardcore" ECW fans were unwilling to accept the benefits of a completely different product for a completely different audience, they were sometimes viewed as elitist assholes who held any wrestling organization with mass appeal in contempt, because as many of us learned in high school, not liking popular stuff is sometimes nothing more than a sign of rebellion and then you end up liking the shit five years later when everyone else has forgotten about it. ECW fans did nothing to help make WWE or WCW better, but they were great about bitching about them. It can be (and has been) argued that some information security professionals who complain about PCI DSS (for whatever reason) are in the same boat.
"Cyberwar" isn't exactly a new concept to the information security arena. Going back as far as 2001 and even farther, it feels like every two or three years, a new round of general cyberwar wonkiness settles upon us, leading a whole new round of asshats to freak out like it's the end of the world, or at least like they just rm'd all of /etc on their favorite Linux box. Looking at the vast majority of the mainstream media stories on "cyberwar", it's generally fairly obvious to see that the perceived conflicts are always an extension of the conflicts between particular political ideologies; the U.S. and its allies are usually portrayed as the defenders against "cyber-attacks" from "hostile" nations such as China and North Korea. Despite having the world's largest military and most complex technological capabilities, the angles of these stories usually cast the U.S. as victims of such attacks instead of what is really is, which is THE COUNTRY WITH THE WORLD'S LARGEST MILITARY AND MOST COMPLEX TECHNOLOGICAL CAPABILITIES. Like the PCI DSS, cyberwar is big business so it's really no surprise that it becomes popular on a recurring cycle.
For at least 70 years, professional wrestling has known one thing about nationalism: it sells tickets. "Evil foreigners" have been portrayed as the heels in professional wrestling at least as far back as World War II, with German, Japanese and Russian antagonists often being placed into main-event level programs with American faces, and more recent "evil foreigners" such as The Iron Sheik were always sure to spark pro-USA crowds. Not all of the faces were flag-waving All-American heroes, however. In 1985, a "Russian" faction of Ivan Koloff, Nikita Koloff and Krusher Khruschev (who were actually from Canada, Minnesota, and Minnesota respectively) held the NWA World Tag Team Championship and were placed into a program with the Road Warriors, who held the rival AWA World Tag Team Championship at the same time. The Road Warriors, also from Minnesota, were originally heels at the beginning of their careers, but were eventually switched to faces because no matter how much they cheated or who they were placed into a program with, the crowds would just not boo them. The Road Warriors were just *so* bad-ass, the crowds loved them so it made sense to pit them against the Russian team in the waning years of the Cold War in Reagan's America. The ironic part of this is that the Roadies weren't flag wavers or Hulk Hogan-esque "Real Americans". They just loved to beat people up. Ten times out of ten, however, you could count on the crowd to start a "U.S.A.! U.S.A.!" chant during their matches with the Russians because the Russians were... well, Russians.
Cyberwar can be seen in the same way; no matter how displeased the American people become with the antics of their own government, they'll definitely jump on the bandwagon and back it when the opposition is "those dirty, evil, scummy (insert nationality here) foreigners". "Cyberwar" and those who jump up and down screaming its name are nothing more than sensationalistic tools used by the aforementioned asshats who are trying to make money for themselves, just like wrestling promoters and wrestlers have been doing for decades.
Some people may argue that the Transportation Security Administration doesn't really fall under the "information security" field, but as long as they're involved with security and they get people talking about security, they qualify for the purposes of this discussion. There is no need to recap the entire timeline of the TSA's rise to the position it has today; unless you were sharing Osama bin Laden's cave (wait, what?) for the past ten years, you know why the TSA exists, what it does, and that a good number of people including, but not limited to, airline travelers aren't always happy with them. From 6-year-olds getting groin-patted to no-fly lists to (allegedly) excessive infringements of personal privacy and constitutional rights, everyone hates the TSA, right?[**]
No, not really. There is still a significant faction of travelers and U.S. citizens who believe that the TSA is fully within its charter and rights to do whatever is deemed necessary to protect American citizens and ensure the security of domestic and international air travel. The TSA *does* have its supporters, but they aren't heard as frequently or as loudly as its opposition. After certain events occured and the federal government deemed it necessary to heighten security on all commercial air travel, it was as if the TSA showed up one day, walked through a crowd at an airport and said "you know who we are... but you don't know why we're here."
In 1996, in the middle of a match during WCW Monday Nitro, someone did just that. Scott Hall's contract with WWE, where he was known as Razor Ramon, had expired the day before and although the interruption of the broadcast was completely planned by Hall and the WCW booking committee, the crowd and viewers at home who had not been made aware of the angle through Internet gossip were completely in shock. Here was one of the WWE's biggest stars appearing on a rival's live broadcast, apparently under the guise of still being affiliated with his former organization (not employer, as professional wrestlers have been considered to be independent contractors for as long as dirt is old). Over the next several weeks, other wrestlers who were formerly with WWE showed up on WCW broadcasts and eventually formed the New World Order, or nWo, to war with existing WCW wrestlers and the organization itself. The nWo was authoritarian sometimes abrasive; they also absolutely captured the interest of the fans every time they did something unique in the public eye.
Like the TSA, the nWo had both detractors and fans alike, was controversial, and eventually faded into the background when people realized that the group would go away when people would stop buying tickets. We're still waiting for that last part to happen to the TSA... hey, nobody said that airline travelers are as smart as wrestling fans. Try to imagine Scott Hall wearing blue gloves along with that denim vest ("me.. I go wherever I want... whenever I want"). Had to replace the YouTube clip when it went missing, so sorry for any 15 or 30 second ads in this one.
Perhaps one of the closest parallels between an information security "situation" and a professional wrestling angle can be drawn between two very distinct factions: the information security "community", represented largely by attrition.org [***] and LIGATT Security International, represented by Gregory D. Evans. It's no secret that what appears (to the author, at least) to be the majority of infosec professionals who even know who Evans is don't care much for him, and it's probably safe to say that Evans holds an equal level of disregard for those same people. Regardless of who did what and when they did it, Evans and the "community" simply do not seem to be able to get along. Shortly after attrition.org began to update its entry for Evans in its Errata section, a back-and-forth onslaught of tweets, blogs, and articles took over a great deal of time and effort for all parties involved. While the information in attrition.org's Errata section was carefully vetted for accuracy, a lot (meaning A LOT) of insults were still traded between Evans and his detractors, which at times dragged the conflict down to a level somewhere between Death Valley and Hell. The conflict eventually took an even more dramatic turn when Evans' company's email system was hacked, which revealed potentially sensitive information to the public at large. And yes, there were lawsuits. And there still are.
One of the most intense and brutal feuds in professional wrestling history took place across Georgia during 1982-1983, when Tommy Rich and Buzz Sawyer simply decided that they didn't like each other and proceeded to beat the hell out of each other on a near-nightly basis for over 18 months. Yes, 18 months... in a row. This was back in a time when wrestling promotions would hold anywhere from 7 to 10 cards a week across a region and then start the cycle all over again, town-by-town, the very next week. The Rich-Sawyer battles were intense and exhausting for not only both men, but also for the fans who had become emotionally invested in cheering for their favorite (generally Rich, as he was the face of the Georgia promotion and a former NWA World Heavyweight champion). By the time the entire program had run its course, it was said that both men had changed in their personal lives as well and would never be the same. With that said, keep in mind that Rich and Sawyer were technically "working"; the outcomes of their matches were still predetermined and they followed the instructions of the person booking the matches for the promotion. Their work finally became overbearing, and to wrap up the entire program, they wrestled (read: brawled) one final match billed as "The Last Battle of Atlanta" in a cage with a ceiling attached (this was almost 15 years before the WWE "innovated" the "Hell In A Cell" match in 1997).
And that was it. Just like that, it was over. Finally. [****]
While infosec skirmishes can be entertaining on the surface, many of them run the risk of ending up like the Rich-Sawyer program. They can be long and tiring, and can continue on because some people want to be entertained well past the time where common sense would tell all parties involved to stop, regroup and move on. The two videos below show the program in different stages of the timeline.
To those who made it this far, hopefully these ideas and comparisions have been at least a little thought-provoking, if not always an apples-to-apples match. It probably would not be inaccurate to say that any profession that includes any level of drama could also be compared to professional wrestling, but I'm not involved in any of those other professions (although being a head chef at an Olive Garden does sound appealing on some days), so infosec was an easier target for me to tackle. If any readers can think of any other examples of infosec drama that might match an old or current professional wrestling angle, please feel free to send your ideas to lyger[at]attrition.org; if enough good examples come in, maybe there will be a follow-up to this article some day.
Copyright 2011-2013 by Lyger. Permission to redistribute granted for non-profit uses. YouTube videos are embedded, so blame YouTube if any of them break. The author does not use or even like Twitter and/or Facebook, so please email him your comments if you want him to see what you have to say. Because of his mention in the article above, any autograph offer from Mick Foley will be accepted without hesitation (HI MICK!).