lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Dec 2008 22:29:21 +0000
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Project Chroma: A color code for the state
	ofcyber security

On Thu, Dec 4, 2008 at 4:36 PM, Razi Shaban <razishaban@...il.com> wrote:
> On Thu, Dec 4, 2008 at 5:03 PM, Chris Jeane <rysheve@...il.com> wrote:
>> The Project Chroma Project website reads(I have highlighted the colors in
>> black so that they are readable):
>>
>> Levels crap
>>
>
> On Thu, Dec 4, 2008 at 6:28 PM, Razi Shaban <razishaban@...il.com> wrote:
>> On Thu, Dec 4, 2008 at 6:02 PM, Chris Jeane <rysheve@...il.com> wrote:
>>> Exactly. Which is why there is a need of a system that contains more
>>> information and less cookie cutter levels. We still don't know what a
>>> cyber-war looks like. One country could attack the transport/power systems
>>> of a third party that supplies/supports their target. This is all
>>> hypothetical, but there is a high probability of collateral damage.
>>>
>>
>> You misunderstood me. What I was getting at is that your ideas,
>> including a "cyber-war" and all this leveling, show that you are about
>> as uninformed as n3td3v. Please take your nub spam somewhere else.
>>
>> --
>> Razi Shaban
>>
>
> To explain the idea of leveling: The internet is a gigantic place. No
> matter when and from where you connect, it is out to get you, you
> individually. Also, large-scale cyber wars are a constant thing. I am
> aware of three very large-scale wars taking place at the moment, does
> that increase or decrease the risk any user would be taking by
> accessing the internet? Of course not. The concept of basing a
> levelling system on a few organized national or private attempts to do
> something or another is ridiculous; the Estonian attack compromised
> less than 0.0001% of all cyber attacks during that time period.
>
> The matter of the fact is, attempting to take the hugely complex and
> intricate dark side of the internet and summarize it in a color level
> is absurd. In fact, attempting to summarize it at all is ridiculous.
> Summarizing implies that you know everything about the topic. Anyone
> trying to summarize this knows nothing when he/she realizes the
> vastness of the internet.
>
> tl;dr : attempting to summarize the internet is less fruitful than
> throwing ice cubes at the sun, but it requires much lesser
> intelligence to do the first.
>

I can't believe people are still using Estonia as an example of a
cyber attack, it was a false flag on an epic scale and so obvious to
I.T security experts. The government have got to try harder if they
want to convince the industry that cyber terrorism is a real threat.
But the fact is Estonia and Georgia just weren't convincing enough at
least for me, I don't know what others think.

And the shutting down of a turbine and posting the video to CNN was
just a joke, there was no actual evidence of how the turbine shut
down, it could just be a man in the corner flicking a switch, there
was no evidence of someone using a computer to shut it down, we were
told it was a cyber attack doing it, but no proof or evidence was
given to prove it. They didn't even have a guy with a laptop standing
beside it or anything like that, really the government are clueless
with it comes to cyber security and creating a convincing false flag.

When it comes to power stations being shut down through computerised
attack, I don't see the threat coming from cyber terrorism, what I see
the threat is more is accidental infection, like the three hospitals
in London that got shut down last month because of the MyTob worm/
virus, the industry sit up and listen to that kind of thing and take
it seriously (or at least I did), but they shouldn't take seriously
Estonia, Georgia, DHS turbine videos.

Cyber terrorism isn't a real threat in the climate we're in right now,
what we should fear is accidental infection like the three hospitals
in London. That got my attention more than Estonia, Georgia, DHS
turbine video put together, because it was so obvious that the three
hospitals in London was a genuine incident and not set up by the
powers of be.

We should worry more about staff competence being the main threat, not
cyber terrorism, but mistakes made by I.T departments and accidental
infection onto networks that are sensitive like the three hospitals in
London.

Please it just makes me cringe when I see people using Estonia as a
way to pave political policy and setting up things. There is no cyber
terrorism guys, there is staff incompetence and accidental infection
that is the biggest worry for me right now, than some people in a cave
wanting to carry out an electronic jihad.

Money is wasted setting up cyber commands and other stuff, the money
should really be spent on making sure the private and public sector
and academia is trained to a specific standard so that the three
hospitals incident can't happen again.

As for the color code thing, thats just a load of wash and bollocks
thats not needed, its good for businesses like Symantec and SANS to
have alert levels, because fear is part of what they play on to make
the money that they do.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ