lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: yossarian at planet.nl (yossarian)
Subject: Full-Disclosure Posts

I can understand the frustrations of seeing bad security. But what makes a
'hacker' better than an academic with some training? Either can be good, or
extremely bad.

In my experience some hackers can think secure instead of break, but most
can't. There is a major difference which many people - including hackers -
rarely see: as a hacker you look for a way in, and when you're in, you
exploit, notify or sit back and feel proud. In a comparison to the military,
you're a sniper or a fighter ace - whatever. As for a security
professional - the job is plugging all holes. Or designing stuff so, that
other people won't create them (you probably don't build all the systems
yourself), but somehow they still manage to break nearly every 'good'
design. You are a grunt doing the feet work or a sergeant leading the
infantry - where some bony headed general sends you with tools other people
choose for you. And in the end you don't get a medal. No heroics - it takes
a different mindset. That is probably why a lot of so called security
professionals are bad at their job too. Try staying motivated and up to
date - since exploits come in every layer. Hackers normally focus on
specific types of holes - you can't - and have much time - you don't.

The worst thing is, if you are good at security, either a reformed hacker or
retrained academic - companies will love you since you understand nearly
everything about the infra. So they promote you, away from the frontline.
Then the lesser gods will do the job with predictable results. You can turn
down a promotion, sure, otherwise you'll be branded being in it for the
money. But in most companies 'doing' security is a lonely job where other
people make the decisions, like installing PCanywhere in an old version on a
reverse proxy, so they can do their 'support' from at home - well after a
few of these events, you'll take the promotion. Not for the money, but to
get away form the thick skulls.

But Dear Backyard - have you applied for a job at yahoo as a security pro?
Apparantly you know what they should know and you are willing to tell
them.... If not - give it a try.


----- Original Message -----
From: "backyard@...oo-inc" <xploitable@...il.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, October 17, 2004 9:54 PM
Subject: Re: [Full-Disclosure] Full-Disclosure Posts


&gt; On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles<BR>
&gt; &lt;toddtowles@...okshires.com&gt; wrote:<BR>
&gt; &gt; I agree with your idea, but I am one of those uni graduate/20
something<BR>
&gt; &gt; professionals. I am very passion about my work and the security of
the<BR>
&gt; &gt; company I work for. I work in a rural state and the money isn't as
high<BR>
&gt; &gt; as some other places. I took a pay cut to work in the IT field
when I<BR>
&gt; &gt; finished college.<BR>
&gt; &gt; <BR>
&gt; &gt; Maybe you weren't talking about people like myself in your
statement<BR>
&gt; &gt; (since most people that are part of FD are here to be on the edge
of<BR>
&gt; &gt; security and around people that understand them) but it seemed
like you<BR>
&gt; &gt; were talking in pretty general terms....with that in mind I have
to<BR>
&gt; &gt; disagree with you that all the 20 something professionals are not
good<BR>
&gt; &gt; security professionals. A lot of the older folks are sitting in
the<BR>
&gt; &gt; corner talking about their 1980 modems, while some 15 year old
from<BR>
&gt; &gt; south amercian uses a three year old exploit on their
misconfigured<BR>
&gt; &gt; Apache webserver and defaces it.<BR>
&gt; &gt; <BR>
&gt; &gt; I agree that you have to love computers...you have to eat and
sleep<BR>
&gt; &gt; computers/security to be good in the field and a lot of people in
the IT<BR>
&gt; &gt; field aren't like that. Kinda sad, but I will have their job
one<BR>
&gt; &gt; day..so..I just smile.<BR>
&gt; &gt; <BR>
&gt; <BR>
&gt; <BR>
&gt; My motivation is yahoo.. these guys need to wake up more.
Everything<BR>
&gt; about them says they are out of touch with the threats of today. If<BR>
&gt; you report X, they patch X, even if they know Y and Z are
vulnerable,<BR>
&gt; the apparent attitude is to leave Y and Z until they get reported
or<BR>
&gt; become an active problem, because they want to move onto the next<BR>
&gt; reported vulnerability. From the idea I get, its all about what
looks<BR>
&gt; good on paper and productivity. I mean, I bet yahoo hand out most<BR>
&gt; productive security employee of the month awards and stuff. Its all<BR>
&gt; screwed up and wrong.<BR>
&gt; <BR>
&gt; My stance is.. yahoo sack all the ones who are in it for the money,<BR>
&gt; keep the employees who think like a hacker, then recruit some real<BR>
&gt; life hackers from the underground. That combination is a winning<BR>
&gt; security team, not the current team who in my opinion are out of
touch<BR>
&gt; and out dated for the threats of the 21st century.<BR>
&gt; <BR>
&gt; As for misconfigured web servers with 3 year old exploit. Yahoo!
don't<BR>
&gt; even need exploits and misconfigured web servers. They do fine by<BR>
&gt; cutting corners and taking short cuts in security. Half the network
is<BR>
&gt; vulnerable to all manner of stuff. In my opinion, the only threat
to<BR>
&gt; Yahoo are Yahoo themselves, not hackers.<BR>
&gt; <BR>
&gt; Sorry to go on about yahoo, but its something i'm passionate about.<BR>
&gt; <BR>
&gt; Feel free to hit the block sender button, I fully understand. <BR>
&gt; <BR>
&gt; :-)<BR>
&gt; <BR>
&gt; _______________________________________________<BR>
&gt; Full-Disclosure - We believe in it.<BR>
&gt; Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists