• Print

Satan is on My Friends List…

Today I was invited to a Black Hat Briefings webcast that included the intriguing topic “Satan is on My Friends List – Attacking Social Networks.” Naturally I registered; but that’s not what this post is about. That title just sort of got me thinking about contrasting worldviews and how they relate to those frames Nat mentioned in his post on the enterprise the other day.

While both O’Reilly and Black Hat conferences attract alpha hackers, their editorial points of view tend to occupy opposite ends of some kind of Internet worldview continuum. Whether from the influence of their founding personalities or some kind of Sebastopol vs. Las Vegas center of gravity, they both represent what is possible but they tend toward different visions of that possibility. Maybe I’m reading too much into this, but for what its worth, I’ve attended both Black Hat and O’Reilly conferences and can’t recall Satan making a single appearance in an O’Reilly conference program.

At their end of the spectrum O’Reilly’s web priests hew towards a utopian vision of universal Mac ownership; the wondrous synergy between VC, entrepreneur, and consumetributors; and a universally accessible source tree imbued with perfect freedom but with never a reason to fork. Open source isn’t just software in the O’Reillyen worldview, it is a Libertarian culture virus whose manifest destiny is to splice its DNA into any and every OSS-consuming organization. In the near future, all software will run in a browser and all applications will be served from Google’s wind powered data centers (wind produced by the flapping wings of crows, which as you guessed are fed the livers of notable Republicans). Eventually the web will become conscious as we merge with it, but unlike us, it will remain shiny and happy, self aware but never disappointed with itself.

Blackhat on the other hand enshrines the heavily tatted and pierced dystopic nether world of root kits, malware, and metasploit. Like danger with a riding crop, it gives the audience a brief thrill, but then everyone utters safe words in unison before anything really painful happens (just don’t use the ATM machine at the conference venue). They are crowdsourcing meets diabolical intent. Where any action, however deviant, is defended in moralistic tones – “We just kidnapped her to make sure you realized how dangerous it was to let her out without constant supervision. You really suck as a parent.” With the self-righteous indignation of the newly converted, they flaunt their white hats knowing all the while if times get tough they can switch sides later. Over at this end, the web won’t achieve consciousness, it already has, Beelzebub’s (and that is totally cool).

Oh, and meanwhile Gartner hypes “SOA” while maintaining short positions on middleware vendors in anticipation of the inevitable counter-cyclical trough of despair. :)

tags: ,
  • http://radar.oreilly.com/jesse/ Jesse Robbins

    This is perfect!

  • http://www.arkansawyer.com/wordpress John A Arkansawyer

    This is exceptionally funny!

  • Michael R. Bernstein

    Hmm. Where does Defcon fit on that spectrum?

  • http://motelfan.blogspot.com motels

    A funnyman with funny story.

  • http://blog.uncommonsensesecurity.com/ Jack Daniel

    “Like danger with a riding crop”

    Priceless- Thanks

  • http://www.blackhat.com ShawnM

    As one of the coauthors of the talk and topic that sparked this entry, I’ll say the following:

    1) Bombastic titles have a long history at BH and DefCon. Actually, I believe Bruce Potter used Satan in the title of a talk 2 years ago, and I’m not entirely sure it’s the first time the Dark Lord has reared his head on the podium in Vegas around August.

    B) Carnival antics and riding crops aside (not sure if mine will make it through TSA this year), the reality is that all of us (speakers, accepted and otherwise, attendees, and hangers-on) are trying to get folks to pay attention to some very obvious problems that still don’t seem to stick in the collective unconcious:

    Any system is exploitable, given target value, time, and effort.

    Features still beat safety, hands down, every time.

    Most of what the security “industry” has sold to companies, governments, and individuals over the past 20 years has done little or nothing to help, though it has made a lot of VC’s a lot of money.

    III) Folks at BH and DefCon are certainly a pretty unhinged lot, sure, but why not? You have to be batshitinsane to be in this line of work. Read the newspaper.

    That’s all. Good thoughts. I’m sure someone can arrange the inaugural O’Reilly / BH potluck and fetish ball if you guys are interested. BYOBG (Bring your own ball gag).

  • http://1raindrop.typepad.com Gunnar

    Yup. Here is Mr. O’Reilly’s meme map in Satan mode

    http://1raindrop.typepad.com/1_raindrop/2008/05/security-evolut.html

    Would be outstanding if the Web 2.0 and O’Reilly folks wake up to the massive security vulnerabilities they are opening up, and fix them.

    -gp

  • http://www.agurasec.com ShawnM

    Gunnar: Thanks for the link! The attacker meme map is awesome!