Security in recent years is taking on a much more up close and personal style of gunplay than ever before. In our thirst for wanting to see the story behind the story, we are no longer content with a page of HTML telling us what the file is called, what it does and how many hundred registry keys it adds. The steady influx of blogs into the security landscape has allowed spyware hunters and researchers to try new avenues of exploration with regards shutting down the bad guys, instead of simply throwing in a few definitions into a database somewhere.
Frustrated by lack of progress from Governments, law enforcement and civil liberty groups, the gloves are off and people demand justice. From the security researcher to the spare-time blogger, most have discovered that ruthless public exposure and a name-and-shame attitude are two of the most effective tools available when looking to take a bad guy down. The laws, resources and penalties available to hit them with in most cases are severely lacking, and a sizeable portion of miscreants simply don't care about getting into trouble with law enforcement, because they know it's highly likely never going to happen.
However.
This approach can create numerous risks - to the researcher, their websites, the companies....anything and everyone can become a target. At that point, it comes down to a battle of wills - how confident is the researcher that they can expose and shut down the bad actor? If they wobble, even just a little, is retaliation on the cards?
Traditional wisdom dictates that you should never be visible when shutting down a Phish, Botnet, hacking forum or other shady operation. You don't want to become the victim of a DDoS attack needlessly, right? The problem with this approach, is that the bad guy never realises he is being hunted. They just put it down to their host wising up to their activities, chalk it down to experience and move on, setting up shop again in hours, not days.
This solves nothing. Nor does the idea that "If I lay low while doing this, they won't attack me". Plenty of security sites and companies get hit with DDoS attacks and infection files that target their programs and websites quite randomly and arbitrarily. If someone is going to whack you, they'll do it anyway. So why not get there first? To me, the proactive and aggressive approach is the only one that works. Everything else is a poorly applied bandage just waiting to be torn off.
With this in mind - and as blogs spill into more and more corporate environments (how many security companies now have a blog? It's probably easier to list the ones that don't) - it's interesting to observe how previously "neutral" companies (in terms of not making a big, direct public stink about someone or something) now have to adapt to tackling the bad guys on a personal level, through the medium of their blogs. I'm lucky - I've always done things in this manner so there is no need to update my approach and change my writing style. Recently though, I saw one security blog (which shall remain nameless) write about a problem with a website and they seemingly refused to actually name the site in question, even though the issue was something as basic as spam pages.
This troubles me. Every blog post carries a risk. The more upfront, the more forthright, the more critical of whatever it happens to be talking about, the greater the chance that someone, somewhere, is going to be annoyed. But do we really need to be so twitchy about what we post that we won't even do something as basic as name the site in question where this spam is taking place? Isn't that actually putting the very users of that site at risk through not telling them that there's an issue there?
Clearly, this was a blog where the corporate line is weighing down on the specifics of what can and can't be posted - and that's fine. Not everyone is going to take risks and put themselves in the firing line for the sake of some random blog post somewhere. Perhaps they have other means and methods of communication better served than their blog to get the word out. Ultimately though, it does make me wonder what use the blog is if hampered by red tape, overly zealous self-censorship and (in some cases) not even the ability for readers to leave comments and interact with the writer.
You find yourself asking, well, what's the point of writing about an issue but not actually addressing it?
As the number of security blogs continues to grow - and more and more people realise the stakes keep being raised with regards naming and shaming of the bad guys, I'm looking forward to seeing how the blogs at the more corporate end of the scale adapt and survive. Do companies actually want bad guys turning up on their sites and threatening them? Emails containing death threats (I think I'm up to three now)? Denial of service attacks hovering over their heads? How far do they want to push their blog to both expand readership and develop new ways of taking down hackers, with the trade-off being that they then open themselves up to an endless series of inventive (and probably not very pleasant) attacks? Is it worth it? Should they just forget the whole blog thing right now and walk away, not wanting the trouble?
There is the risk that the looser, more Indie blogs will just keep cranking up the level of expectation with regards the content posted, while the blogs necessarily straitjacketed from being too wild or zany revert to a list of a hundred or so registry keys or (worse) fold altogether because nobody reads them anymore. I personally think there's room for both, but I also think that if you have a security blog - corporate or otherwise - you have a duty to tackle any and all issues head on, whether it be spilling the beans on something that needs fixing, hackers that need whacking and end-users that need protecting.
Dancing around the fire solves nothing. Plunging in head first, however, tends to get results - as long as you don't mind a few scorch marks...
Frustrated by lack of progress from Governments, law enforcement and civil liberty groups, the gloves are off and people demand justice. From the security researcher to the spare-time blogger, most have discovered that ruthless public exposure and a name-and-shame attitude are two of the most effective tools available when looking to take a bad guy down. The laws, resources and penalties available to hit them with in most cases are severely lacking, and a sizeable portion of miscreants simply don't care about getting into trouble with law enforcement, because they know it's highly likely never going to happen.
However.
This approach can create numerous risks - to the researcher, their websites, the companies....anything and everyone can become a target. At that point, it comes down to a battle of wills - how confident is the researcher that they can expose and shut down the bad actor? If they wobble, even just a little, is retaliation on the cards?
Traditional wisdom dictates that you should never be visible when shutting down a Phish, Botnet, hacking forum or other shady operation. You don't want to become the victim of a DDoS attack needlessly, right? The problem with this approach, is that the bad guy never realises he is being hunted. They just put it down to their host wising up to their activities, chalk it down to experience and move on, setting up shop again in hours, not days.
This solves nothing. Nor does the idea that "If I lay low while doing this, they won't attack me". Plenty of security sites and companies get hit with DDoS attacks and infection files that target their programs and websites quite randomly and arbitrarily. If someone is going to whack you, they'll do it anyway. So why not get there first? To me, the proactive and aggressive approach is the only one that works. Everything else is a poorly applied bandage just waiting to be torn off.
With this in mind - and as blogs spill into more and more corporate environments (how many security companies now have a blog? It's probably easier to list the ones that don't) - it's interesting to observe how previously "neutral" companies (in terms of not making a big, direct public stink about someone or something) now have to adapt to tackling the bad guys on a personal level, through the medium of their blogs. I'm lucky - I've always done things in this manner so there is no need to update my approach and change my writing style. Recently though, I saw one security blog (which shall remain nameless) write about a problem with a website and they seemingly refused to actually name the site in question, even though the issue was something as basic as spam pages.
This troubles me. Every blog post carries a risk. The more upfront, the more forthright, the more critical of whatever it happens to be talking about, the greater the chance that someone, somewhere, is going to be annoyed. But do we really need to be so twitchy about what we post that we won't even do something as basic as name the site in question where this spam is taking place? Isn't that actually putting the very users of that site at risk through not telling them that there's an issue there?
Clearly, this was a blog where the corporate line is weighing down on the specifics of what can and can't be posted - and that's fine. Not everyone is going to take risks and put themselves in the firing line for the sake of some random blog post somewhere. Perhaps they have other means and methods of communication better served than their blog to get the word out. Ultimately though, it does make me wonder what use the blog is if hampered by red tape, overly zealous self-censorship and (in some cases) not even the ability for readers to leave comments and interact with the writer.
You find yourself asking, well, what's the point of writing about an issue but not actually addressing it?
As the number of security blogs continues to grow - and more and more people realise the stakes keep being raised with regards naming and shaming of the bad guys, I'm looking forward to seeing how the blogs at the more corporate end of the scale adapt and survive. Do companies actually want bad guys turning up on their sites and threatening them? Emails containing death threats (I think I'm up to three now)? Denial of service attacks hovering over their heads? How far do they want to push their blog to both expand readership and develop new ways of taking down hackers, with the trade-off being that they then open themselves up to an endless series of inventive (and probably not very pleasant) attacks? Is it worth it? Should they just forget the whole blog thing right now and walk away, not wanting the trouble?
There is the risk that the looser, more Indie blogs will just keep cranking up the level of expectation with regards the content posted, while the blogs necessarily straitjacketed from being too wild or zany revert to a list of a hundred or so registry keys or (worse) fold altogether because nobody reads them anymore. I personally think there's room for both, but I also think that if you have a security blog - corporate or otherwise - you have a duty to tackle any and all issues head on, whether it be spilling the beans on something that needs fixing, hackers that need whacking and end-users that need protecting.
Dancing around the fire solves nothing. Plunging in head first, however, tends to get results - as long as you don't mind a few scorch marks...
This strikes at the heart of what I've been saying and doing for a couple of years. I've said this before in many posts, 'exposure is our greatest weapon'.
Yea, there is a risk involved no doubt. But at that point you need to decide if you're in it for the long haul or not. Separate the men from the boys so to speak.
The more negative press that can be generated, even at the blog level, if enough blogs pick it up, mainstream news sites will too. Once that ball is rolling nothing but good can be had.
The power of the keyboard is replacing that of the almighty pen.
Great post PG, keep up the good work.
Although I am not a 'security person' who actively goes out to seek the wrong doers and bring them down, I wholeheartedly agree with this method of tackling them.
After all, if lots more post and blog about what is happening and name these sites and people, are they really going to attack ALL of them? Strength in numbers......united we stand, divided we fall..... you know the kinda thing ;)
Power to the People!