This isn't just in infosec. The myth of the auteur is common across jobs that rely on groups of people. There is always someone willing to claim singular or outsize credit for something that is a collaborative, iterative, communal endeavour. See: CEOs.
the cheesy names thing is something I really don't like about being in the security business. it sabotages smart people who have to repeat these things with a straight face.<p>imo the security field needs a new story, as what got it here doesn't get it where it needs to be. it was cool and interesting when the adversary was domestic political surveillance, but now?<p>I don't really want security in anything. I want good engineering with the features and autonomy to take and manage my own risks. I'd like to not have to think about spies and thieves. If something breaks or gets stolen, I'd like for it to be easily fixed or replaced. I don't want to be interdependent. I'd also like to be able to use superior technical skills to disable, disrupt, and deny annoying people who use consumer technologies maliciously, and to keep governments in check from using tech to oppress people.<p>building security products today achieves none of these things, and usually just consolidates the interests of a bureaucracy. I agree that security marketing has made the products and narrative unbearable, but maybe I have a more accelerationist view, which is, let them be lame. The world is a better place when the administrators fear their users.
What is this drivel? This is a half-baked article that should be called "Here's some names of two hacker groups and a barely-formed thought about naming hacking groups."
There’s a lot of (misconceptions/blatant falsehoods(?)) in this article but one I want to focus on is in this statement:<p>"Often, the high-tech services that the cyber security sector sells protect the front door, while offenders continue to sneak in the back one using low-tech methods."<p>A major part of Crowdstrikes offering is meant to detect/combat this kind of initial access. In fact most of the companies I’ve worked with have had an offering devoted to it as it’s considered pretty basic.<p>Additionally the names given to these threat actors aren’t meant to be creative. They follow a convention determined by the intelligence gathering company involved. In this case Spider = criminals (not a nation state actor). Sometimes the first part might be based on some kind of hallmark of the group.
"In the cyber security industry, however, marketing is everything. Names are chosen to invoke a visceral reaction and to promote fear. That fear helps to turn people towards expensive high-tech security products."<p>"Often, the high-tech services that the cyber security sector sells protect the front door, while offenders continue to sneak in the back one using low-tech methods."