I'm not sure how useful a statement that is, though. Without users none of the security threats would matter, either. So what?

To move towards solutions, you have to understand the issues, to understand the issues you have to understand the people, and to understand the people you have to understand their motivations.

That means you have to separate the whitehats from the blackhats - their motivations are completely different. I think that most people would agree that whitehats are primarily motivated by a combination of curiousity, thrill-seeking, and need for notoriety. Blackhats are primarily motivated by some combination of political aims, emotional issues, and financial needs. Those are very different drivers, and need to be addressed completely differently.

By the way, your interview did strongly imply that you were talking specifically about whitehats, not the larger class of hackers:

They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.

As discussed above, I don't think the blackhats are doing this for fun. I think they're doing it because they're angry at someone, want to make money, are trying to make a socio-political point of some sort, etc. Computer crime is just a tool to them - not fundamentally any different than extortion, bank robbery, or car bombing.

So you're not going to stop exploitation of security threats by convincing "hackers" that building web applications is more rewarding than finding and demonstrating a hole in someone's security.

That's probably enough for a comment board posting ...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32062#32062