Have any of you ever even been to an ISSA meeting? All this talk about "discussing serious vulnerabilities within member companies..." What meetings do you go to?

In my experience, the ISSA meetings I've been to were far more social in nature than technical. On top of that, much of the technical seemed to be limited to sharing woes about the latest Outlook nightmare propogating whatever Virus or sundry Malware happened to be the nasty-du-jour, along with the random "invited guest speaker/product marketeer." Not exactly a hotbed of detailed discussion for inherent weaknesses within critical infrastructure.

On the Mitnick issue...Kevin had a similar problem many years ago with DECUS. He was removed from that as well, due to his past transgressions. This was in 1990, and caused a MAJOR rift back in the fledgling security industry. Anyone remember that?

Let's play Devil's advocate:

1) This systematic exclusion from the organized socio-technical associations at the time led kevin to the (obvious?) conclusion that he would never be accepted, forcing him to continue down the path of the darkside

or

2)Kevin was a dumb guy, with no common sense or morals, and had little intentions on stopping his hacking foray (ultimately making him a 3 time loser.) So the DECUS people made the right call.

Discuss amongst yourselves.

Before you begin, note that there have been many "Reformed Hackers" who have likewise been subjected to this type of exclusion from the old-boy's club of InfoSec. Some weathered it out from the late 80s/early 90s and eventually became accepted (if not sought out) by the same communities that once rejected them. One big difference between such people and Mitnick...these people didn't revert back to crime over the years, as Mitnick seems to time and time again.

It should be also noted that ISSA does have members who have hacked into computer systems at one point in their lives, as do most (if not all) professional organizations (along with Security Consulting Firms, Security Product Firms, Major Accounting Firms, Government Intelligence Agencies, etc.) And further note that many people who hold the CISSP have likewise hacked many a computer system in their youth.

Hypocritical? Probably.

On another note, my initial reaction of Kevin is of someone trying to capitalize on a furor of media coverage to make as much money as possible in the shortest amount of time. (Talk to his "agent" and you will get an interesting picture about what it takes a company to "do business" with Kevin... at least I did.) But that is the American Way, so we can't be too critical of that...

Ultimately, I hope that Kevin has finally grown up, and has realized that he needs to get his act together.

Time will show if he can weather the storm and prove his sincerity...and ultimately, if there is anything worth buying from the guy once the press releases dry up.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2403/18208#18208