In the end, if the bad guys are winning, I think it’s because we have too much value we are trying to protect with the wrong methods. Vendors try to suck every last dollar they can out of clients, and leave no budget for the rest of the security layers, particularly the human element.

Harsh comment? Yes, but I was a product manager for many years, and it happens all the time. Isn’t the first thing in the sales guy’s prospect qualification checklist “How much budget does the client have?” Nobody stops to ask if that budget has been properly allocated. They just aim to use it up (maybe with enough professional services and support to make that one technology work as it should).

Yes, we should be trying to counter attack technologies with new preventative technologies. But we will rarely be in equilibrium with them.

My two cents.

Michael Farnum wrote a post on his blog, in which he referred to another post that said: Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if……

You’re right, we may not be able to stop them, but we’re not useless unless you are looking on a global level (and let’s face it, there is no police or policing force in the world that looks at that level and thinks they can prevent everything). If we can avoid risk enough to ensure our companies or even our interests, we’ve provided a lot of value. If we get owned by low-hanging fruit and garden-vareity exploits, yes, we’re f***ed.

We can also take heart that what comes out of defcon and black hat can sometimes be called highly skilled, exotic attacks that are simply not widely accessible or even understand by very many people. There are always exceptions, such as Graham/Maynor’s tools Ferret/Hamster which speeds things up a LOT. But that tool-pair is still only leveraging known issues.

Besides, we’re puzzle-solvers, in this field. And would we be very happy if we solved our puzzles fully? Hell no.

So, don’t quit just yet. There’s plenty to be had before retirement!

The guru’s missed the point however: “it is simply not possible to prevent the attacks I saw at Black Hat”, yep Richard, that’s the point of Black Hat. Now we are all aware of them, perhaps we can go and sort them out instead of running around yelling “the sky’s falling in!”

Just because he grew legs before we climbed out of the sea, doesn’t mean we’re all so far evolved. I’m getting sick of gurus and other geniuses.

And here’s me thinking Security was about awareness.