The two most annoying things I always get asked at security conferences

RSA 2008 was always going to be a tough one to pull off - while most people were probably going there to dazzle everyone with the latest cutting edge exploits, cryptography-tech and innovations in the technology field, I was going to show up and talk about kids hacking things.

Already off to a tricky start, things were made more complicated by the structure dictated by such an enterprise - throw in all the juicy stuff right at the start to keep peoples attention, and you risk having nothing interesting to whip out at the end. Keep it too general at the start, and you risk incurring the wrath of the OMG KIDS HACKING ON THE INTERNET? OH, WOW REALLY? THAT'S SUPPOSED TO BE NEWS NOW? brigade.

Of course, the news isn't that kids are "hacking on the Internet" - the news is that nobody is still paying it much (if any) attention. Why is that? It's a tricky question to answer.

I did have a few people come up to me while I was at the FaceTime booth who fired the following at me, and I usually always get something along these lines (indeed, one guy got particularly stroppy with me for no good reason at InfoSec Europe after asking me the first one). It used to irritate me, but now it just makes my eyes roll and probably glaze over a bit. I might start to think about shopping I need to purchase. A funky song from yesteryear might autoplay in my mind while I jig from side to side in a sexy yet creepy fashion. Who knows.

1. Sounds interesting, but what is the value to your company?

Well, in terms of specific value to "my company" (and indeed, all companies), anything interesting and productive is good publicity, and good publicity = good news for any company, right? If nobody knows who you are, they're less likely to buy your stuff. If everyone knows who you are, you've achieved some form of visibility and so might sell slightly more stuff. If what you do is worthwhile and productive, there's an increased chance people might take your equipment for a test drive. Anyone that can't see the obvious benefits of that, just doesn't get it.

The other side-effect of lots of publicity is that scumbags the world over - and those scumbags can be anyone from the 17 year old kid in his bedroom to the nastiest of kiddy pr0n creators - don't like a light shone in their face. It all helps, and it all goes a little way towards people actively working in security one less headache to deal with.

These people also tend to forget that it's not just a case of shutting down some websites and that's it. If you start with a person, you inevitably end up with their interesting and unique infection files which can then be protected against. If you start with the file, you can usually trace it back to a fame-hungry mofo.

There's no reason why we can't have our cake and eat it, and no reason why we can't simultaneously look to grab the files for detections AND attempt to shut down the people making those files permanently. In that sense, we're doing what anyone else in security is doing - providing detections - and also trying to ensure they don't keep pumping out infection files all day long. Anything done after grabbing the files and providing detections is a bonus. That's a benefit to everybody, and I'm interested in providing a benefit to everybody - not just the parent company.

Why does "value" always have to equate to tangible amounts of cash on the table? If it's done purely to help people, does that suddenly lose all worth? Is it only relevant if I'm rolling around in a swimming pool stuffed with hundred dollar bills or something?

I'm sure the future victims of some credit card scammer who won't now be stung because we already shut him down three weeks ago will see the value in it, or the people using some social networking site that won't be hit because we already shut down the clowns producing the latest scam, and so on and so on. To me, people complaining about the dollah dollah bill, y'all worth of things not being entirely evident by "simply" shutting down wannabes, hackers, crackers and God knows who else have it all back to front.

In case they forgot, I apply the same "burn it all down to the ground" method for everyone from Adware vendors to hackers in the Middle-East and everyone inbetween. Was it an issue then? Or does it only become an issue because people can't immediately see the worth in slicing up wave after wave of script kiddies?

I mean, it's not like many of these kids will be doing bigger, better and nastier things in five years time or less if left unchecked, right? It's not like they're gearing up to be the next wave of assclowns who people like me will eventually have to chase down anyway, right? What? What's that? They WILL?

Oh.

The next question I had thrown at me from one or two guys was something similar to this:

2. I used to hack back in the day, and I'm still on the scene though I don't do anything anymore. You shouldn't call these kids hackers, because it's an insult to all of us real hackers who were all about exploration and fighting the system etc etc (insertpartabouthowtheyactuallyusedtohackthingsanywayhere).

My response to that was, you're unhappy about them being lumped in under the semantically awesome term "hacker", you claim to still be "on the scene", you probably read articles in 2600 magazine about the "true worth and nobility of hackers" and yet don't actually do anything to steer them towards your ideal goal of "hackers not being into illegal things as such and actually being all about exploration and freedom of expression"?

Wow, then EPIC FAIL FOR YOU.

Anyway, ramble over. I just want you to know what not to ask me at conferences (along with, "Did you enjoy the flight". That one sucks too).