Apathy in the Security Community
I've been traveling a lot lately. I've seen a lot of interesting things, done some interesting things, and talked with some interesting people, some boring people, and some legitimate crazies. I have a lot of material to discuss, and a lot to ponder.
I mentioned in a previous blog post that Black Hat and Defcon left me with some insights into the world of security, and they were largely confirmed in the past weeks. Here are a few random thoughts and reactions:
The hacker community is getting stale. Sure, the attendee numbers at conferences are still growing, but in most cases, the hacker mentality just isn't there. Before I get flamed, yes, I know that it was always a small core of people, and those people are still there. In addition, I'm actually all for having the noobs show up at Defcon, just to get a taste of what we're all about. But... I keep thinking that when I go to these events, the excited-to-be-here and stoked-to-do-things vibe isn't nearly as strong as it was just a few years ago. Geeks aren't particularly social people- I can deal with that, but I'm seeing a lot of people who are just there to be there. I guess that happens in every community- I've seen the same thing happen various other communities over the years, but I really don't like the idea of it happening to the hacker scene.
That said, there are always some bright spots. At Toorcon, I happened to be watching as two attendees rigged the candycorn-counting-contest. One asked the staff at the registration desk to stand up and face him for a photograph, and the other walked by and swapped out the jar of candycorns while their backs were turned. Most places, this kind of cheating would be unacceptable behavior, but at a hacker convention... I'm disappointed when I don't see it.
Short version... I dunno... I just want to see the attendees get more involved in those things. It's more fun that way anyways. You don't have to be a 1337 haxx0r who hasn't showered all week to make exciting things happen.
On the other side of a fast-growing split between the security community and the hacker community, we're seeing the same problem. I was in DC for CSI this week. I spoke on a 3-hour web security panel with Rafal Los, Joshua Abraham, Jennifer Jabbusch, and Sharon Besser. The people on the panel were smart, lively, and passionate about what they did. We had a great discussion. The people in the audience though... they didn't really care what was going on. I get the impression that half of them were just there for CPE credits, and the other half were government employees looking for a paid vacation. The fact that these people are tasked with securing data in both the government and corporate worlds scares the crap out of me.
There were a few people there who were willing to ask questions and actively participate in the discussion, but they were the exceptions. I don't understand how a person can work in security and not be extremely passionate about his job. We do very cool work here and we work with very interesting people. Having spent time in a lot of other industries, I can honestly say that I've never worked with a better group of people. What's more, if you aren't passionate about it, there is no way you can keep up. The security world changes daily, and while we joke about our addictions to our smartphones, email, and twitter, if you take a few days off, you really will get left behind. It takes serious commitment just to keep up, but it's totally worth it.
If you're one of those people who just doesn't care, get out of this industry. There's got to be a better use for your time. If you do want to stick around, find a project to work on, something to get involved in, or at least start a blog with random thoughts. Even if you're wrong, ridiculed, and flamed, it's helpful to you, the community, and everybody else.
Maybe I'm an idealist, but I just want to see other people get as excited as I am.
I mentioned in a previous blog post that Black Hat and Defcon left me with some insights into the world of security, and they were largely confirmed in the past weeks. Here are a few random thoughts and reactions:
The hacker community is getting stale. Sure, the attendee numbers at conferences are still growing, but in most cases, the hacker mentality just isn't there. Before I get flamed, yes, I know that it was always a small core of people, and those people are still there. In addition, I'm actually all for having the noobs show up at Defcon, just to get a taste of what we're all about. But... I keep thinking that when I go to these events, the excited-to-be-here and stoked-to-do-things vibe isn't nearly as strong as it was just a few years ago. Geeks aren't particularly social people- I can deal with that, but I'm seeing a lot of people who are just there to be there. I guess that happens in every community- I've seen the same thing happen various other communities over the years, but I really don't like the idea of it happening to the hacker scene.
That said, there are always some bright spots. At Toorcon, I happened to be watching as two attendees rigged the candycorn-counting-contest. One asked the staff at the registration desk to stand up and face him for a photograph, and the other walked by and swapped out the jar of candycorns while their backs were turned. Most places, this kind of cheating would be unacceptable behavior, but at a hacker convention... I'm disappointed when I don't see it.
Short version... I dunno... I just want to see the attendees get more involved in those things. It's more fun that way anyways. You don't have to be a 1337 haxx0r who hasn't showered all week to make exciting things happen.
On the other side of a fast-growing split between the security community and the hacker community, we're seeing the same problem. I was in DC for CSI this week. I spoke on a 3-hour web security panel with Rafal Los, Joshua Abraham, Jennifer Jabbusch, and Sharon Besser. The people on the panel were smart, lively, and passionate about what they did. We had a great discussion. The people in the audience though... they didn't really care what was going on. I get the impression that half of them were just there for CPE credits, and the other half were government employees looking for a paid vacation. The fact that these people are tasked with securing data in both the government and corporate worlds scares the crap out of me.
There were a few people there who were willing to ask questions and actively participate in the discussion, but they were the exceptions. I don't understand how a person can work in security and not be extremely passionate about his job. We do very cool work here and we work with very interesting people. Having spent time in a lot of other industries, I can honestly say that I've never worked with a better group of people. What's more, if you aren't passionate about it, there is no way you can keep up. The security world changes daily, and while we joke about our addictions to our smartphones, email, and twitter, if you take a few days off, you really will get left behind. It takes serious commitment just to keep up, but it's totally worth it.
If you're one of those people who just doesn't care, get out of this industry. There's got to be a better use for your time. If you do want to stick around, find a project to work on, something to get involved in, or at least start a blog with random thoughts. Even if you're wrong, ridiculed, and flamed, it's helpful to you, the community, and everybody else.
Maybe I'm an idealist, but I just want to see other people get as excited as I am.
Labels: Conventions, rants
posted by mckt at
11:29 AM
|
4 Comments
