[funsec] DefCon 'Race to Zero'

Rich Kulawiec rsk at gsp.org
Sat Apr 26 02:44:12 CDT 2008

On Fri, Apr 25, 2008 at 10:49:37PM -0400, B Potter wrote:
> On Apr 25, 2008, at 8:05 PM, Paul Ferguson wrote:
> >
> > I'm sorry, but if people don't already realize that their behavior
> > is already dangerous by reading the plethora of data, articles,
> > research, blogs, etc. that is available, some controversial contest
> > to write "stealthy" malware at DefCon ain't gonna do it either.
> Honestly, I think it's sad that everyone is scared of talking about/ 
> building/demo-ing 0day these days.  10 years ago you could go to any  
> security/hacker con and several talks would be revealing some new vuln/ 
> exploit.  IMO, that's changed dramatically  due to several reasons:

I agree with both of you.

I think it's fine that DefCon is going to have a malware construction
contest.  It may be entertaining.

But let's not pretend that it will raise awareness: it won't.  It won't
be publicized beyond the circle that we work in, and even if it is, the
people who most need to have their awareness raised won't hear about it
or pay the slightest attention to it or modify their behavior in any way.
They will continue to use worst-of-breed products like Outlook and IE,
they will continue to click on anything shiny, and they will continue
to subvert their own systems 24x7, thus saving attackers the trouble of
doing it themselves.

This is yet another version of one of Marcus Ranum's six dumbest mistakes
in security: Number 5, educating users.  As he says, "if it was going
to work, it would have worked by now".


More information about the funsec mailing list