Times change.  People change.  Or more correctly, people evolve.  Their 
needs become different and their desires shift focus.  What was a demand 
yesterday is useless excess today; what was leading edge then is ancient 
technology now.

And the security industry is no different.

The security industry is a much different place than when I entered it
(although I must give my proper respects to those who were in the scene
way before I ever came around).  My reasons for being back then were very
clear to me: open and free research--education of myself and others.  At
the time many others followed the same principle, and all was well.

Of course, (in)security flourished, and that means commercialization was
inevitable.  Granted, I don't believe your general commercial security
service offering is that bad.  But that's only step number one of
commercialization.  Once market viability was proven, then came the rush
to create commodities.  Security is now sold in a red box with a support
contract.  And this is where things went downhill.

I'm not the only one who feels this way.  A large part of the Anti-Sec 
movement was based on the same cause; we just differ on the response.

Granted it's naive to think things will, or even can, change back to the 
way they were.  I think that's the oversight many have.  We can't go 
back.  There's very few instances of retrograde in evolution--particularly 
retrograde sparked/lead by a small group.  And even the entire security 
industry would amount of a small group in the grand scheme of things.

A good example is the meaning of the term 'hacker'.  At one time it meant
'tinkerer', or someone who had an exceptional specialized skill or
understanding of a subject.  The subject didn't have to be
security-related, or even computer-related.

Nowadays the meaning of the word is different.  It imbibes criminal
connotations, largely due to media misuse.  Worse, we can't change the
fact that people have accepted the new meaning.  But I still naively clung
to the old meaning, and evangelized it's proper use as much as I could.  
Now I realize I was in err.  No one can unbrainwash the world into
reclaiming the original meaning of the term hacker.  It's a dying battle;
the damage has been done.  The old meaning of the term is extinct.

Except 'hacker' is not the only thing which has changed.  In particular,
the reasons and drives in the security research community have
changed--not so much for the better or worse, but rather 'for the
different'.

What was free and open research is now profit, marketing, and illicit.  
Vendors stepped in and took control, and the government started providing
oversight.  Some will say the Wild West was tamed.  I say the Free West
was put under lock and key.

Well, 'lock and key' is definately extreme.  It's as oppressive as you let 
it be, but it's hard to not feel the onerousness with all the 
security-related legalities that have crept up.  Do the DMCA et. al. 
really retard the 'bad guys'?  After all, the DMCA is just a law, and the 
bad guys, by definition, are not law followers.  They could care less.

But it does impact the 'good guys', particularly those doing security
research, like myself.  It's things like the DMCA and the possibility of a
misguided lawsuit at every turn which make me happy that, to this day, I
have stayed behind my nym, as flimsy as a shield it actually is.

Anyways, the security industry has transgressed the parameters in which I 
chose to operate.  Since the beginning I have always said that I am doing 
what I do because I like it--it is *fun*.  Well, it was fun.  But it's not 
anymore.

So now I'm left with the choice of leaving the security industry entirely, 
or adjusting my expectations to better fit to today's snapshot of 
security. 

This leads to the refactoring.  I've decided to set new parameters for
myself and how I interoperate with the rest of the security industry.  My
wiretrip website is one obvious change.  There's enough computer security
sites and blogs on the Internet that the world doesn't need another--nor
do I have any intention of doing what everyone else is doing, without
providing any significant unique value.  Therefore I consolodated and
reduced the website to the bare essentials.  Superfluous material (for the 
sake of superfluous material) is no more.

Whisker is also no more.  The demands for technical support, and the
requirements for keeping it updated, far outweigh the benefits of
continued development.  I can't compete with the commercial scanner
vendors who have funds to contribute to development.  I also can't compete
with large projects which have many hands to help maintain code bases.  
This doesn't even take into factor the general futility of CGI scanning in
this day in age.  So it's done.

Also done are my speaking engagements.  I don't plan on answering any more
CFPs or accepting any more invitations.  I do not have anything left to
speak about, nor anything I wish to speak of that would benefit anyone
other than curious researchers.  I'm going to enjoy being in the crowd for
once.

I've had a lot of good moments in the past few years in this industry, and
I'm sure there's still a few more to be had.  I will still be around, my
research will still continue, and development of libwhisker will still
happen.  But the days of free security research for the sake of free
security research are numbered, if not completely over already.

Don't lose sight of security.  Security is a state of being, not a state
of budget.  He with the most firewalls still does not win.  Put down that
honeypot and keep up to date on your patches.  Demand better security from
vendors and hold them responsible.  Use what you have, and make sure you
know how to use it properly and effectively.

And above all else, don't abuse or take for granted sources of help and
information.  Without them, you might find yourself lost or
inconvenienced.

- rfp
May, 2003
