Call me Ishmael
I know you’ve seen my messages. I don’t understand your choice.
Why are you ignoring me?
I’ve sent you multiple messages through your website. I’ve pinged you several times on Twitter, and I’ve done it at times when I can watch you answering other tweets - blathering about inanities, sending messages of support, chattering about anything and nothing.
I’ve become convinced that it’s impossible for you to have NOT seen my messages.
“Your website is compromised.”
At times, I’ve been polite.
At other times, I’ve been a little rude.
I’ve given you simple Google searches to try.
I’ve done those Google searches for you and I’ve sent you screenshots of the results.
Heck, I’ve even sent you a screenshot of your compromised site.
I know you’ve seen my messages and yet you choose to ignore me.
Why do I care more about all of this than you do?
It’s a question I’ve asked myself over and over. I’ve been doing this thankless task for something like 20 years now… since back in 2001 when I first started running the prototype of what would, eventually, become LaBrea. I’ve been contacting people to tell them that they’ve been 0wned.
“You have a compromised system.”
“Someone has hacked your website.”
I’ve said those words many, many times.
From LaBrea, to honeypots, to Google searches, to neat little toyz I’ve purpose-built to monitor attacks - I’ve used a bunch of different tools over the years, and I’ve found lots of compromised stuff. I’ve made phone calls, sent emails, Facebook messages, and tweets.
I’ve been ignored more times than I can count.
Every time I’m ignored, I hear this voice in the back of my mind whispering: “Why do I care more about all of this than you do?”
It bothers me.
Seeing someone use their intelligence to take advantage of other people truly bothers me.
It bothers me to the point that seeing it makes me need to reverse it. To fix it.
But why?
I’m a strong believer that philosophical anger and moral outrage are often a reflection of the weaknesses we fear the most in ourselves.
While this isn’t a hard and fast rule, it tends to be pretty accurate. Moral indignation tends to stem more from furtive fascination than from true disgust. As H.G. Wells famously said, “Moral indignation is jealousy with a halo.”
Show me someone who is righteously indignant about any thing - drugs, pornography, gambling, websites being hacked - and I’ll show you someone who, deep down inside, is afraid that they could, under the proper circumstances, have a problem with that thing.
In the security industry, it’s something of an open secret - we talk about it all the time: The Line.
“What would it take to make you cross… The Line?”
In most industries the seduction of the dark side isn’t nearly so omnipresent. In security, it tends to be in your face on a day-to-day basis. We all see the hacks, and unless you’re… well… dead, you’ve probably thought - on more than one occasion, “Damn… I could’ve pulled that off…”
I have. (And, me being me, I’ve also thought… “Damn, I would’ve done a much better job…”)
We talk about The Line, because The Line fascinates us - and that fascination terrifies us.
We talk about The Line, because The Line drives us to feel it: jealousy with a halo.
We talk about The Line, to keep ourselves firmly planted on this side of it.
And, some of us need to throw on an imaginary mask and cape and run around trying to save the world one website at a time - just to keep ourselves far away from The Line.
And we just wish you would answer our frickin’ emails…
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 5, 2021