lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 15 Jun 2011 12:16:43 -0400
From: Valdis.Kletnieks@...edu
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Absolute Sownage (A concise history of recent
	Sony hacks)

On Tue, 14 Jun 2011 19:42:37 PDT, coderman said:
> consider it this way: when programming the "weird machine" to do your
> bidding some vectors to vuln are context-agnostic and readily
> repeatable. (the 95%)
>
> the other 5% are present in the specific configuration or context of
> system under attack and thus require actual technical ability and
> insight to traverse the vuln vectors. (or exploit chain, or attack
> tree, or whatever you want to call it.)
>
> cover the 95% and you won't be an HBGary, Sony, LulzSec target.
>
> however, don't interpret this as evidence you can't get hacked six
> ways to sunday by someone with the skillz.

And there's the flip side of it - there's some 140+ million .com's out there.
For the vast majority of them, covering the 95% is in fact sufficient, because
they are *so* small that it's probably safe to bet that everybody with actual
skillz is too busy hitting more valuable targets to bother whacking them.

After all, how many black hats with skillz will spend 3-4 days figuring out
how to whack Billy Bob's Bait, Tackle and Cell Phones and make maybe a
few hundred dollars, when they can go whack something in the 95% range
in a short afternoon and make 10 times as much?

Yes, you're still technically vulnerable, but at some point you really need
to give up the paranoia and get on with your actual business. Security
is all about tradeoffs - it may make more sense to say "We got 10K
customers, *if* we get whacked we just apologize, spend $25K on
credit card monitoring services for them, and get on with our business".
If you figure on a 10% chance of getting whacked, that's an average expected
expense of only $2,500 a year.  How fast can you burn through $2500
trying to secure that last 5%?


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists