lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 23 Oct 2008 22:26:40 -0400
From: Ureleet <ureleet@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DHS / US-CERT do we need them want them?

while i see wut u r getting at, at the end of teh day, u live in the
uk, so stfu.  uscert does necessary work, and i know 4 a fact that dhs
is doing alot of good.  maybe not in cybersecurity, which apparently
is the only thing you think about instead of looking @ a bigger
picture..  but dhs is very necessary.  it works.  and u r again,
wrong.

On Thu, Oct 23, 2008 at 7:01 PM, n3td3v <xploitable@...il.com> wrote:
> I'm not against anyone here, just I think and most people agree DHS
> has been pretty pointless and ineffective in its goals. You can see
> they mean well, but they do it all wrong. Basically, it seemed to be a
> department which grouped existing or new departments together under
> one umbrella. I think the point was to centralise them all into one
> command and control coordination group called DHS. Did US-CERT do
> well, what do they do? They look out for vulnerability's on the
> mailing lists and act as a bridge between vendors and the interest of
> the government. If the government have an interest in say a DNS
> vulnerability, they will email vendors and say, you got to patch this,
> we are putting pressure on you to patch. Also, the federal government
> are rolling out DNSSEC to its domain name infrastructure. So,
> basically, US-CERT seems to be an oversight posture, oversighting not
> only their government interests, but over sighting businesses and
> academia, to make sure their standards are upto scratch and making
> sure they know what they need to know so that they can make a decision
> which US-CERT will end up bullying them into doing with emails and
> telephone calls. So I can see maybe US-CERT might have a reason to be
> there, to oversight the rest of us and bully us with recommendations,
> they force upon you if you don't take the primary polite hint at
> updating something. Do we need US-CERT? Do we Need DHS? The truth is,
> we could probably keep US-CERT, but generally they are just bullies
> with the security community they over sight with, and if the DHS was
> disbanded, then the US-CERT could still exist without the DHS
> umbrella, although it might be better if US-CERT and DHS just go at
> the same time. I agree with the idea of what they want to do, I just
> don't like the way in which they do it. Their approach to protecting
> the homeland is all wrong. US-CERT are bullies to the infosec
> community, we shouldn't need to feel intimidated by them, they I feel
> some vendors are in times like the DNS flaw when the government start
> demanding things. Good night. The things that US-CERT do and
> recommend, the vendors know about already, US-CERT are just like an
> annoyance alarm bell in your ear you can't get rid of when you already
> know what you need to know. So if US-CERT and DHS weren't around we
> wouldn't be less off, we would be better off without them. I'm sure
> they, US-CERT keep doing it to their own government departments as
> well, emailing and phone calling them about things they already know
> about. Lastly, their email alert system, it is slow, so slow at
> telling people about things, they it just becomes a spam alert in your
> inbox of old news, and that reflects what I was talking about in this
> email about them sending spear targeted emails and phone calls to
> vendors and government departments, which already have their security
> teams taking care of issues and don't need the over sight and bully
> boy annoyances that US-CERT seem to pose. The funny thing is, this
> isn't even personal experience im talking about, as you know im not
> part of the professional community, but I know what's going on because
> I talk to people and I read the mailing lists and get the vibe that
> this is what the US-CERT do in reality is bully boy people into doing
> things and telling them things they already know, and demand things
> are done. And in times of need, force people to work with each other
> even if they don't really want to. Maybe the forcing people to
> collaborate is a good thing at critical times, but you don't need a
> whole US-CERT for that, it just takes a couple of independant folks to
> do that, out there in the community when it becomes apparent when
> action with multi-vendors, governments is required. Do we need, DHS,
> no. Do we need to keep US-CERT, no because the skilled folks are
> already there at each government department and vendor, they are more
> upto speed than the DHS and US-CERT appear to be on security
> vulnerabilities and what needs to be done. There is no need to pump
> money into US-CERT which only tells people what they know already,
> this is the case with individual end-users, vendors and government
> departments, they don't see US-CERT/DHS that is needed, its just a
> luxury. Its like driving a bentley, when i can still get to where i
> want to go in a mini. The mini is smaller, more economic on fuel,
> nippier round the bends in the cities, while the bentley is a big
> heavy, fuel/money guzzler, slower but looks shinier on the outside,
> but infact does the same thing as the mini. So better off with the
> mini I say, unless you just are a show off and want to impress people
> on the outside, when not really offering anything new on the inside
> that the mini can't offer. And with the mini / bentley thing now in
> your head, that is basically what it comes down to and explains the
> situation well, why have a bentley, when all we want is a mini? Or
> better off get a bus or a train and don't bother with any oversight
> group that bullies people and offers nothing new to anyone that they
> didn't know already. Another rant done and done, good night. Sorry
> people who work for US-CERT, you are probably nice guys who mean well,
> but nevermind you get my point. n3td3v. Take care everybody, we as
> white hats should stick together, but just because I don't agree with
> something a white hat does doesn't make me bad. People seem to think
> if you're a white hat, you can't speak out about another white hat or
> you will be called a bad person, no I think its ok to talk about other
> white hats if another white hat doesn't agree with something. But
> people like valdis will still call me names, but he is probably a
> republican, so who cares. n3td3v is not a bad person im a good natured
> person, maybe with shit social skills but who cares about it??? We
> don't come great computer people by having a social life and going out
> places, do we? Good night.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ