Yes, I know very well that it should be the Hippocratic Oath, but there may be those who think that someone who spends as much time talking to the media as I do should be careful not to cast the first stone from inside a glass house. (Bear with me: this really is going somewhere…)
Still, I came across a pointer today (tip of the hat to Bob Radvanovsky) to a much-to-the-point blog article by Michael Tanji on "Is your “cyber security expert” full of s***?" I'm not sure the asterisked word refers to soup, but this is a family blog, so let's assume it does.
The article is actually over a month old, but there are still plenty of security experts around who are full of soup, long after this year's Black Hat conference has congealed and been poured down the sink. (Actually, there was lots of interesting stuff there this year, as usual, and there are plenty of conference events that are more thickly seasoned with what Rob Slade calls "instant experts", but that doesn't mean Black Hat is immune.) And as Ken Bechtel also pointed out on an AVIEN mailing list, Tanji's article has a lot in common with Rob Rosenberger's semolina – sorry, I lost my thread there for a minestrone - seminal article on False Authority Syndrome, which is always worth giving another plug to.
Mention of Ken Bechtel is actually very apposite: Ken put together a code of practice for AV researchers to which a number of AVIEN members subscribed, and which specifically borrowed the tenet "do no harm" from the Hippocratic Oath. (Got there at last!)
I also rather like the version of the Oath written by Dr Louis Lasagna (no, that's not another pasta pun), which says "I will not be ashamed to say "I know not", nor will I fail to call in my colleagues when the skills of another are needed for a patient's recovery." So, I suspect, does Tanji: he cites as one of the ways of distinguishing between "security celebrities" and the truly knowledgeable, that the "good" security guy is "the first to tell you he doesn’t know/he refuses to talk about subject X".
But read the whole article: and if it makes you more sceptical of the bona fides of those of us who pollute the blogosphere with our own opinions, that's a Good thing. As Rosenberger said in his article, "I want you to question the credentials of anybody who talks about computer viruses. Indeed, I want you to question my credentials in this field!" Though he was talking specifically about computer viruses, which were the biggest problem in malware at that time, it applies equally well in principle to all security. Learn to be a sceptic!
David "excuse the alphabet soup" Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security