March 11, 2009

Professionalism in the Security Community

Marcus Ranum recently started discussing CyberWar and its basis in reality (or lack thereof). He first presented the Cyberwar is BS talk at HackInTheBox in Singapore and more recently at DojoSec in Columbia, MD.

The talk was naturally controversial because, hey, that's Ranum's style and it's also the subject matter itself. Some people have resorted to delighting in Ranum's alleged '0wn@ge' since his talk supposedly got some nasty feedback, including some people calling him an idiot or saying that he doesn't know what he's talking about, etc. (more on that later...)

I welcome a sober discussion on cyberwar (what it is, why it's real or not, etc) and while I don't agree with everything he said at DojoSec, , I would never call Marcus Ranum an idiot. Why not?

A few reasons just off the top of my head:

1. He is clearly not "an idiot." He's been around the infosec block for a long time, on both the technical and business side and he has the experience and technical skills to match any young ankle-biter I know who wants to take Ranum down a notch by calling him names.

2. Even if I thought he was wrong about some, most or even ALL of his points, he'd still not be "an idiot," he'd just be wrong. It would be my responsibility to say why I thought so, privately and/or publicly, but in a respectful manner.

3. He owns a very accurate rifle and knows how to use it...

But seriously... Let's stop calling each other names and trying to take people down in order to make ourselves look good... and let's get back to contributing CONSTRUCTIVELY to the community.

A community where, I might add, Marcus Ranum is a longstanding, honorable member and leader. There are plenty of people who disagree with some of the content in the "Cyberwar is BS" talk, but there are those in our community who can disagree with someone and still display professionalism and respect.

Like, say, Richard Bejtlich, who blogs at TaoSecurity and himself is fully qualified to discuss cyberwar and its implications:

Guess what? I too disagree with some of Ranum's points in the "Cyberwar is BS" talk and I found myself occasionally squirming in my seat at DojoSec during his talk. I emailed him to tell him so instead of calling him names, telling him that I'd try to formulate a cogent argument for modifying some of these points (coming soon). Ranum will take good points and revise his thinking and presentation if it makes sense to him.

With that said, I couldn't agree more with what Ranum asked of his audience at DojoSec on March 5th:

"I am totally OK with people who say I don't know what I'm talking about, but what really makes me happy is if you tell me WHY I don't know what I'm talking about.

You can sit there until you're purple in the face and say 'ah he's an idiot' but if you tell me WHY I'm an idiot, you've got my undivided attention. So if you wanna argue with me about this, I am yours until hell freezes over, but don't just say I'm stupid, cuz I'll just say you're stupid back"

Please, people, don't fall into the the cynicism/namecalling trap: It's counterproductive, unprofessional and makes you look disrespectful to fellow security people and possibly others outside the community. It will never elevate your status long-term, even if you happen to be right about a certain part of an argument. Keep it cool and calm: We're expected to be graceful under fire, after all.

BTW, if you think I'm an idiot for saying this, re-read the above quotes and let me know WHY...