There appears to be three distinct themes in his response; a quibble about terminology, a rant about lack of funding and finally what appears to be a shot at Microsoft for discontinuing support (moral? financial?) for the “real” researchers at Purdue.

This begs further discussion.

Regardless of whether Mr. Miller and his ilk are called “security researchers” “professional penetration testers” “poseurs” or “felons” is irrelevant. What *is* relevant is that Mr. Miller and others like him have specific subject matter expertise that can be applied to various classes of *real* as opposed to theoretical security problems. Dan Kaminsky recently reported a major *design* flaw in DNS – by all accounts he did a tremendous amount of work and then took pains to have his work peer-reviewed and then worked responsibly with various groups (including US CERT, vendors and Paul Vixie) to craft a remediation. I fail to see where this differs markedly from the research process employed in “real” computer science and more pointedly, I note that the discovery did *not* come from the “real” security research community to which Professor Spafford belongs.

Thus, the next issue that begs to be discussed is - if Professor Spafford is so offended with the “noms de guerre” of the legitimate hacker community who are focusing applied expertise on real world (i.e. DNS) problems what has the “real” security research community contributed of late? To be sure, there are pockets of brillance - exceedingly smart individuals in academia who are working on hard security problems – and producing great results (Dan Boneh at Stanford, Ed Felten at Princeton, and David Wagner at Berkeley come to mind). Given that, let us take it one step further – what DNS class flaw or other profoundly seminal work has Purdue contributed of late? Analysis of the Morris Worm, Dan/SATAN and Tripwire are all noted – and all old news. Yes, I know of Arxan, but I believe that was Professor Atallah.

While Professor Spafford concedes that the role of “professional penetration tester” requires “some” talent, I expect that it is not lost on him that individuals like Mr. Miller are in business due in large part to the *failure* of the higher education system - form over function at all costs. While I know that Purdue and Professor Spafford cannot be held to account for the entire academic computer science research community, can we at least expect that all CS students from Purdue are so well versed in security that Mr. Miller, Mr. Kaminsky and others need not pay attention to the software they create or the systems they design?

With regard to the comment that by Microsoft hiring Mr. Miller its “likely to further divert resources” this seems to be a specious argument – whether Microsoft, Apple or Victoria’s Secret hires individuals from this field is irrelevant. It is *not* the responsibility of corporations to fund academic research – that is the job of government. Simple economics and business practice dictate that money follows expertise – if Microsoft Research (or any other funding entity government or otherwise) can identify or derive value from the work done at Purdue, then expect a windfall. If not, then that may prompt some soul searching. In the meantime, expect others like the “false gods” of the security research community to cash in on your behalf.

As a real security researcher it bothers me that people who focus on finding vulnerabilities in existing (usually weak) systems are given the same title. I will concede that there is some talent required to find some of the vulnerabilities that are exposed. However, that really isn’t “security research” any more than finding a way to break in and steal the disks is “security research.” Security research includes organized analysis, design, construction and derivation of more general principles. “Professional penetration tester” is a fair title, and one with honor and history going back many decades (although I suspect few of the current fraternity have actually studied the methods and discoveries of the pioneers in the field). My concern is that real security research — into better protocols, architectures, forensics, formal models, and more — is badly underfunded and poorly supported. Giving people the idea that finding exploits for flaws in systems that weren’t really designed for security is “research” is likely to further divert resources away from efforts that could make a difference in the future. It is especially disappointing, in light of this particular post, to note that Microsoft is discontinuing their support of our (real) security research center — because they could not find someone inside Microsoft Research who was willing to advocate internally that it was important. “Penetrate and patch” is probably important for many vendors and customers as long as overly-complex systems with little security design are dominant. Penetration testers and automated patching are part of that landscape. But it doesn’t have to be that way, and real research can make a difference, if it is supported….and that is less likely if the majority of people think that “research” is primarily (or only) breaking systems.