Analogies are a funny thing; much like statistics, they are often warped to support any point of view. A few Mac bloggers came up with analogies around why they were not show our exploit work from last year. Of course, their conclusion is that we made it up. Forget the fact that if you were to follow the instructions from our presentation you would have found these bugs, they still write that it was a fraud.
I have my own analogy. Wait, it is less of an analogy and more of a statement. Why would I show them anything I do? Are these bloggers a responsible party at any affected vendor, a third party agency, or either Jon’s employer or mine? After Blackhat 2006, numerous driver developers contacted us across a variety of platforms for things they could do to make their code better that ranged from defensive coding techniques to better ways to test for vulnerabilities. This was the point of the presentation. Proving ourselves to bloggers was not.
To be very honest I had never heard of any of these people before they start yelling about me being a fraud last year. Their demands and “contests” for me to show them my work is literally the equivalent of me making a blog post challenging the governor of Georgia to a debate on fiscal responsibility then claiming victory when I am ignored.
That’s the dirty secret thought, it is hard to claim to be an authority on a subject when the newsmakers mostly ignore you. In order to combat that you have to set yourself up in such a position that even if a person ignores you, you can claim victory.
Let’s look at the reasons why the “macbook” contest was ignored.
-John Gruber’s approval means nothing in the security community.
That is pretty much it. Oh and he made the challenge after we were gagged. Nothing like waiting until someone is in handcuffs to take a swing at them. I could be childish and offer a contest to prove that they would have even understood our work. Hell, with all the Apple 0day we are sitting on I could even offer to go double or nothing on their absurd Macbook challenge. But in the end things like that are utterly stupid because they really prove nothing.
Nice post; it was full of a lot of cheap shots last year that did exactly as you said: declare victory just because you couldn't/didn't respond. That's an intelligent approach, and maybe why they're just bloggers. :P
In the end, you're right. What did their judgement really mean? Did they even have the technical knowledge to understand the situation beyond a fanboy knee-jerk reaction? In almost all cases, no. Their heckling or even accolades really meant and still mean nothing in the whole scheme of things...despite their own self-views.
Just wanted to say thank you for your work last year (and ongoing), in an area that needed the work and exposure. I think a lot of us truly should owe you and Jon a beer or two at a future meet.
Post a Comment