A number of events in past months have forced me to reconsider my position on a number of issues.
Foremost in my mind:
- The Vodafone scandal in Australia,
- the Australian Prime Minister’s Laptop being hacked,
- Office of National Assessment’s of Govt security (and SQL injection being described as “non-major”),
- RSA being owned,
- the Comodo CA hack.
What do these all highlight:
- Ultimately, the blatant disregard that Australian citizens have towards their own privacy,
- Similar disregard by our government to protect its information assets,
- Gross misunderstanding over what SQL injection means (in spite of seeing the ownage of HBGary),
- The fundamentally flawed architecture we come to rely on (SSL & CAs) .
We (Australia) have no mandatory notification of breaches, no penalties for privacy breaches, weak government interest, capability and skill in securing our own assets.
I am tired of banging my head on a wall and hoping that things will get better and that I can play any role in that future. I have blogged about it in the past and I hoped this was just a phase and I’d get past it. But I can’t and I’m over it.
A wise man once said to “follow your bliss”. Once upon a time, I loved pillaging boxes and finding holes. Somewhere along the way, I lost my path. I betrayed my own values. I got a set of programming books piling up in my library I’ve never touched because I’ve been so focused on architecture, strategy and business. None of this makes a lick of difference in the scheme of things and quite frankly, if the Australian population and our own government don’t give a shit, I frankly don’t see why I should.
Sure I believe you can focus on architecture, sound decisions based on risk and intelligent approach to understanding your business and uplift your security. But at the end of the day, its a drop in the bucket. When people think SQL injection doesn’t mean much and lazy administrators can’t be stuffed patching Windows boxes because it involves work (err... “downtime”), then nothing I do will ever really matter. Whats more, nobody seems intent in addressing these problems. There is no patch for human stupidity (or laziness for that matter).
So I’ve decided to “follow my bliss”. I will be focusing on penetration testing, vulnerability research and programming solely from now on. I will get back to my roots – and I am the first to admit I have a lot of things to catch up on. But I will enjoy the journey at least. I will devote myself to finding the holes. Let the fixing go to other people who have the stamina and the patience to do it – I’m done with it.
To the pentesters I’ve hassled – you guys were right all along. I was wrong.
To the people who supported me – sorry guys, but I’ve seen the light.
UPDATE: For those who missed the date of the post, yep I'm pulling your leg. Happy April Fools Day y'all.