Thursday, March 27, 2014

A traditional cybersecurity company

Picture of the loft, from Space Rogue.
This is the tradition.
In the prosecutors' response to the Weev appeal, they make the snarky claim about Goatse security:
It is not, to put it mildly, a traditional security research company. The firm’s name is a reference to a notoriously obscene internet shock site. ...  Goatse Security’s corporate motto is “gaping holes exposed.” 
They are wrong. This is traditional, at least for security research companies. We start out as hobbyists having fun, not taking what we do seriously. We start wearing t-shirts and hoodies. Only as we grow older do we realize that people will pay serious money for this, and it becomes our formal job, where we might show up to meetings wearing a suit.

Take, for example, L0pht Heavy Industries back in the 1990s. This was a hacker collective who rented a loft together, as a place to stick all their computer equipment, sharing a link to the Internet. It was a place to go after work. The name "heavy industries" comes from Japanese anime.

Their collective started to become a "real" business, with consulting contracts and selling their tool "L0phtcrack". For some members, it became their day job. They then merged with some entrepreneurs and venture capitalist to form "@Stake", creating a "real" cybersecurity research and consulting company servicing the Fortune 500. @Stake was then purchased by Symantec.

Today, former L0pht members are are scattered throughout the cybersecurity industry, often in management positions. "Mudge" became the director of DARPA cybersecurity research. "Weld Pond" and "Dildog" founded a new startup "Veracode". "Space Rogue" is management at "Tenable". These guys are now the elders of cybersec, shepherding the young coming from the same sorts of informal roots they came from.

Sure, my comparison isn't a good one. L0pht was merely informal, whereas "Goatse" was the maximum amount of rudeness and trolling. My point is simply that these are all the same "tradition" of cybersecurity: while we might end up wearing suits, few of us started that way. This further demonstrates that the prosecution of Weev is prejudicial and arbitrary, based on factors other than whether his "access" was truly "unauthorized" as per the CFAA.

No comments: