Today I was directed to a post written by at Errata Security concerning the lovely OLPC project. For those of you who don’t know what the OLPC guys are doing, e.g. you’ve been sleeping under a rock for the last four or five years, the OLPC guys are building a cheap laptop for kids to use, and it’s targeted at enabling thirdworld countries which do not have computing in their schools. Anyway, you can check out the wonderful example of trolling here, in a post titled “Why the OLPC promotes terrorism”. It ends with a nice picture of an XO running Metasploit, I guess this is intended to scare people into having an irrational fear of the OLPC project.
A fair warning before: I don’t own an OLPC XO, but I think that Sugar is a major innovation in human-computer interaction, and is certaintly welcome in the open source world, additionally, not all Infosec people are like this, just a large amount of them. (By large, I mean, it would easily overflow a “long long” value if you counted the amount.)
Right, well anyway, I’ve had it with this nonsense, and I intend to counter his argument in a few ways. I’ll start out by pointing out that:
Errata Security and it’s employees are parasitic of the work made by other people. These people work on projects that Errata Security (and other infosec people) blog about and discover vulnerabilities in. This in itself is OK, as long as you don’t slag the work done by the people you make your money from exploiting. As long as they stick to that guideline, people will view them as symbiotic, but when you write a blog post, or make a public comment, slagging a project, you do more than just anger that individual project. Theo de Raadt once said that “to stay open, you must stay vocal”. As such, when you slag a project, you harm your own reputation.
Metasploit will run at least equally well on the Intel PC as it does on the XO. Seriously, I don’t see how this is a flaw in the OLPC XO. When you own a computer, it is up to you if you use it for productive means or not. Also, lets consider that perhaps the fact that OLPC can run Metasploit means that it may teach proper security procedures to users of computers in developing countries. Oh. Wait. That might harm your business model, we can’t have that! Now I see why you want to attack people. It’s all about protecting your company from a new generation of clueful computer users. Brilliant.
Many infosec researchers release PoC code which is not defanged. This is arguably more harmful to America’s IT infrastructure than the OLPC XO is. To those people who release such PoCs, I will simply say that you are the most parasitic of all. I do not know if Errata Security has ever released such a PoC, I hope not for their sake, as I will point it out if I ever discover they do, they have annoyed me this much. Hopefully they have more sense than to put a live piece of shellcode into the hands of america’s script kiddies, giving them yet another worm for DroneBL to track.
Programming languages are not sentient beings, and therefore cannot be left or right wing, communist or capitalist. What utter tripe. Stop smoking crack before you further harm your company’s reputation. Maybe the creator of Python, Guido van Rossum, is left-wing, but that doesn’t mean Python itself is. Also, how the hell is C++ capitalist?
Is Open Source software in general communist? I invite Robert to comment on this. I really really do. Of course, I imagine that instead of commenting, or even better, apologizing to the open source world, he will probably blog about me, or post some nasty PoC about my software to bugtraq now. I’m sorry in advance for any damage he may do.
In closing, we have yet another infosec person making an arse of himself. I hope for his own sake that he reconsiders whether or not that was a wise move. Also, apologies to any legitimate infosec people who do what they do because they feel it’s important, trust me, this wasn’t about you.
Update: I just noticed that these Errata Security guys may be pro-Windows. So I guess that answers my question on whether or not this guy thinks Open Source software in general is communism.
Update 2: Craig Edwards noticed that Errata Security has instructions on how to run Metasploit on an Nokia N800 cellphone. Does this mean that cellphones are now a communist plot too?