ZDNet Australia has a tech savvy readership. Many of you reading this would have been in the same position I was in when every man, dog and its accompanying fleas were buying a PC. In my family, and among many of my friends, I was the incredible, the amazing... drum roll please: "computer guy".
For most people, a computer is like a car. You put petrol in it, drive it, and then take it to the "car guy", read: mechanic, for a service or repairs. With a computer, you take it home, screw your configuration, and then call "computer guy" to come and fix it.
I have spent countless hours of my time sorting out other people's computer hassles. If you can help, you're expected to help.
Now let's take it one step further. Imagine you are "computer security guy" for all the "computer guys". Every time you plug "security guy" into Google, your name comes up. This has been the hell that RFP has been living for the last several years. He has become the world's largest one man computer security helpdesk. He's become a nerd overlord; the king of geeks.
How did he find himself in this situation? By freely contributing his expertise and knowledge to an industry that desperately needed it. Not only is he a star bug finder -- RFP researched the most easily exploitable Microsoft Web server flaw ever found -- but he's written open source tools, such as the Whisker vulnerability scanner, that were way ahead of their time.
Then there were his advances in the area of vulnerability disclosure. Several years ago RFP wrote the RFPolicy for vulnerability disclosure. It has been ubiquitously adopted as the accepted policy for the disclosure of security vulnerabilities.
He has supported Whisker, written a new version, and answered nearly every single bone-headed question that has been thrown at him by scores of ignorant, neophyte drones.
What was his reward for his countless hours of community service? Money? He says not a cent. RFP has mostly been "rewarded" with pressure and expectation.
When the Organisation for Internet Safety released its draft guidelines for vulnerability disclosure, which it took way too seriously, especially considering everyone was pretty happy with the RFPolicy, he was told by sections of the security and media industries that he "owed it to them" to comment. His response isn't fit for our site, so I'll just have to leave it to your imagination.
If that wasn't enough, the poor guy's had big business move in on his turf, selling sub-standard solutions for megabucks.
In the statement he released in which he announced his plan to become anonymous, he seemed particularly flabbergasted by the domination of vendors that promote shiny red boxes with support contracts as a substitute for true security.
The way some of the larger vendors are pushing their products is somewhat similar, in my mind, to the campaign dynamics of some modern politics. They appeal to the lowest common denominator, like the politician who oversimplifies. "I love what that man can do. He's a leader. He has vision. He can take the most complicated social issue and make it really, really simple."
I guess it's the same in security now -- proper policy, procedure and management is no match for a shiny box with pretty flashing lights. Vendors say it's simple, and people believe them.
Handing over his turf to people like that hasn't been easy for RFP. "What was free and open research is now profit, marketing, and illicit. Vendors stepped in and took control, and the government started providing oversight. Some will say the Wild West was tamed. I say the Free West was put under lock and key," he said in a recent statement.
So what's next for RFP? Well he's in Sydney delivering his swan-song presentation at the Hack 2003 conference. From this day forward he will be in the crowd, not at the lectern. Does he owe us anything? I don't think so -- he's done enough.
excellent article... altruism has been betrayed