[This was originally published on eEye.com and mirrored on attrition.org.]
As a security consultant, I get a lot of e-mail about every topic in the security arena. Running a popular mail list, I tend to get more than most, especially with new product advertisements. For the most part I give them a once over before deleting them, just to keep up with the latest names in the field. Every once in a while one will strike me as odd or noteworthy for one reason or another. Some grate against every last nerve in my body and lead to rantings I call articles.
On November 26, 1999 I received mail about a new Windows NT security scanner. I shared this with a colleague who quickly shared his frustration in reading product announcements like this. We both see eye to eye on marketing hype, especially hype revolving around the hysteria that hackers will invade your server, delete your files, and kick your dog. The solution is always the product being advertised which always seems to have been invented by ethical hackers or anti-hacker experts. Nothing is invented by ‘security professionals’ anymore. Looking at the email, something jumped out: (names have been left out as this is a bigger problem than a single company)
xxxxxxx SOFTWARE - xxxx: NT VULNERABILITY SCANNER ~~~~ Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT's holes before they plug you. There are many hundreds of known NT vulnerabilities. New ones are found daily. You just have to protect your LAN _before_ it gets attacked. xxxx is a new tool that solves your NT security exposure in a completely unique fashion. xxxx is not just a shrink-wrap product. It comes with a responsive web-update service and a dedicated Pro xxxx team that helps you to hunt down and kill Security holes. Originally built by anti-hacker experts for Secure Government sites. Download a demo copy before you become a statistic. http://www.xxxxxx-xxxxxxxx.com/xxxx.htm
One line jumped out at me:
“Originally built by anti-hacker experts for Secure Government sites.”
This one simple line says so much more. Unfortunately for them, it says many a negative thing and leads to more questions and harder earned trust. What seemed like a good marketing line then often ends up doing more damage than they could imagine. Security professionals are often cynical and skeptics by nature. As such, they read into the small details as their profession often demands. Sentences like this make us wonder if they are just lying about a product’s origin, or do they realize this undermines the integrity of their product. Either way, the company loses.
“Originally built by” leads to an obvious question. Who builds and maintains it now if not the ‘anti-hacker experts’ that originally did? A common tactic adopted by many companies in and out of the security field is to hire well known and highly respected professionals to build a team/practice/product/company. Once a solid name and positive reputation are built, they move on to bigger and better pastures. The minute they leave, a new world evolves leaving the team-product in different hands. Often times the deep impact of the salary or fee required to bring in the big names is seen in the low pay of the second wave. That low pay often translates into low skill as well.
“anti-hacker experts” makes you wonder if they mean experts in anti-hacker ways such as firewalls and security mechanisms. Or perhaps they mean experts on hackers which in turn makes them ‘anti hacker’ and this is just the blend of words to convey that idea. The use of “anti-hacker” suggests they mean something other than “security experts” so we can conclude their original product designers were “anti-hacker” in the sense that they knew hackers, their techniques, their philosophy and more. Anyone with passing familiarity of hackers and security would quickly doubt this claim. Every group or article or company that claims to be an expert on hackers tend to disagree with one another. A general lack of information or ability to adequately address the problem suggests these people are far from experts when it comes to hackers.
“for Secure Government sites” is a very curious conclusion to the sentence. Why is ‘Secure Government’ capitalized? Is it some indication they are referring to specific machines with a particular named designation? That seems to make no sense. Perhaps the marketing department was over anxious in emphasis of their product. Running with that idea, we can assume they mean “secure government sites”. Once again, this is a curious claim. If they are talking about proven secure machines utilized by our government, why not call them by name? “for SIPRnet” has a much better sound and at least makes it sound more legitimate. But they can’t claim that if it isn’t true, because it is a specific network with a well documented trail of who worked on it. So they must mean secure government servers in general. This claim is purely absurd as we see dozens of government and military computers compromised each week. The illusion that the government must run secure servers has been resigned to nothing more than jokes told by hackers and security consultants alike. This claim is more amusing when looking at a list of the government servers that have been defaced, along with what operating system they were running at the time.
Yes, this seems like an awful lot to read into a single line of some product advertisement. However, for those involved in the security field who are tired of hype and mystique being built around old illusions, it becomes a personal insult.