There are a lot of unwritten rules in the security industry and, unfortunately, there’s a whole crop of new companies coming up that just don’t seem to understand them. So, as a public service, I’m going to explicitly explain one of them here… i.e. an “unwritten rule” is about to become “written”:
Thou shalt not chaseth ambulances.
Now being somewhat “old skool” in my way of thinking, I’m a little surprised that something like this even needs to be said.
According to Wikipedia (The Oracle of All Knowledge - Praise be… Praise be…), the term “ambulance chasing,” sometimes known as barratry, refers to a lawyer soliciting for clients at a disaster site. The term “ambulance chaser” comes from the stereotype of lawyers that follow ambulances to the emergency room to find clients.
Now, I spend an inordinate amount of my time at digital “disaster sites.” I contact lots and lots of folks who have had their websites hacked, and I generally do it in whatever is the most expedient way possible. I would rank “notification methods” as follows, from easiest to hardest:
- Phone calls
Unfortunately, tweeting, while fast and easy, is a bit “public.” Perhaps I need to rethink things.
Today, I fired off several tweets to notify some folks that they’d been hacked. Over the years, I’ve developed some pretty generic “notification language”:
A little while after firing off those tweets, I noticed that someone else had been paying attention:
Who is “Astra?” A quick look at their website shows that they sell a web application firewall targeted at PHP-based CMS solutions.
Now, I have no idea if their software is fifty shades of awesome or a total piece of crap. (It does, however, appear to come with a “Trust Seal” that you can display on your site… a total guarantee of awesomeness EVERY. DAMNED. TIME.) I really didn’t look into their product, because I first took a look at their tweet history. It screams “ambulance chaser.” (Actually, it screams “ambulance chaser with poor grammar,” but let’s not quibble…)
Right there, I know everything I need to about Astra.
So… I called them out on it:
“Security is best sold to people hacked.”
Uh, no… Security is “best sold” to people before they’re hacked. Security is “best sold” based on the merits of your product, not on the fact that, like a scavenger, you show up at the kill site before the body has even had time to cool. Quick-fix snake oil often gets sold to people right after they’ve been hacked. (Not that I’m saying Astra is snake oil… I honestly don’t know. They do have a “Trust Seal,” so there’s that…)
Here’s the thing: chasing ambulances is sleezy because its all too easy to take advantage of people who are already in a vulnerable place. Heck, even lawyers (who, let’s face it, aren’t generally known for their high ethical standards) look down on their peers who chase ambulances. In fact, rule 7.3 of the American Bar Association Model Rules of Professional Conduct specifically attempts to prohibit barratry.
If you’re in the security biz, you really SHOULD know and understand the sleeze-factor behind ambulance chasing. I notify people they’ve been compromised nearly every day, and I’ve been implicitly and explicitly accused of all manner of things, but I’ve never felt more hurt than when someone says “Oh, I suppose you want to sell me something to fix this…”
No, I don’t.
You see, my goal is to live a professional life that - at minimum - meets or exceeds the American Bar Association Model Rules of Professional Conduct.
Because as “bars” go, the Bar’s bar is pretty low.
Owner, Principal Consultant
Bad Wolf Security, LLC
Senior Technical Engineer
June 25, 2016