| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jan 2012 03:55:58 -0600
From: Laurelai <laurelai@...echan.org>
To: doc mombasa <doc.mombasa@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:54 AM, doc mombasa wrote:
> and you are obviously blindly stuck on a point and has no idea how it
> actually works out there in "the real world"
> in small companies you have freedom and ability to execute
> in big companies not so much..
>
> Den 12. jan. 2012 10.52 skrev Laurelai <laurelai@...echan.org
> <mailto:laurelai@...echan.org>>:
>
> On 1/12/12 3:47 AM, doc mombasa wrote:
>> ok obviously you never worked for a big corporate entity :)
>> sure standing up to them is fine
>> after shouting about the bug for 4 months i thought bah why
>> bother its their asses not mine
>> just going in and fixing a bug without the mandate is usually not
>> a good idea (if you want to keep your job so you can pay your
>> bills that is..)
>>
>> Den 12. jan. 2012 10.41 skrev Laurelai <laurelai@...echan.org
>> <mailto:laurelai@...echan.org>>:
>>
>> On 1/12/12 3:34 AM, doc mombasa wrote:
>>> i dont know if you ever worked for a big corporate entity?
>>> like kovacs wrote its not about whether you can do it or not
>>> as an employee its more about if your manager allows you the
>>> time to do it
>>> pentesting doesnt change anything on the profits excel sheet
>>> we can agree it looks bad when shit happens but they usually
>>> dont think that far ahead
>>> i tried once reporting a very simple sql injection flaw to
>>> my manager and including a proposed fix which would take all
>>> of 5 minutes to implement
>>> 18 months went by before that flaw was fixed because there
>>> was no profits in allocating resources to fix it
>>> and that webapp was the #1 money generator for that company
>>>
>>> Den 12. jan. 2012 10.29 skrev Laurelai
>>> <laurelai@...echan.org <mailto:laurelai@...echan.org>>:
>>>
>>> On 1/12/12 3:27 AM, doc mombasa wrote:
>>>> just one question
>>>> why should they hire the "skiddies" if most of them
>>>> only know how to fire up sqlmap or whatever current app
>>>> is hot right now?
>>>> doesnt really seem like enough reason to hire anyone
>>>> besides im not buying the whole "they do it because
>>>> they are angry at society" plop
>>>> ive been there.. they do it for the lulz
>>>>
>>>> Den 11. jan. 2012 06.18 skrev Laurelai
>>>> <laurelai@...echan.org <mailto:laurelai@...echan.org>>:
>>>>
>>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>>> >> Don't piss off a talented adolescent with
>>>> computer skills.
>>>> > Amen! I love me some stylin' pwnage :)
>>>> >
>>>> > Whether they were skiddies or actual hackers,
>>>> it's still amusing (and
>>>> > frightening to some) that companies who really
>>>> should know better, in
>>>> > fact, don't.
>>>> >
>>>> And again, if companies hired these people, most of
>>>> whom come from
>>>> disadvantaged backgrounds and are self taught they
>>>> wouldn't have as much
>>>> a reason to be angry anymore. Most of them feel
>>>> like they don't have any
>>>> real opportunities for a career and they are often
>>>> right. Microsoft
>>>> hired some kid who hacked their network, it is a
>>>> safe bet he isn't going
>>>> to be causing any trouble anymore. Talking about
>>>> the trust issue, who
>>>> would you trust more the person who has all the
>>>> certs and experience
>>>> that told you your network was safe or the 14 year
>>>> old who proved him
>>>> wrong? We all know if that kid had approached
>>>> microsoft with his exploit
>>>> in a responsible manner they would have outright
>>>> ignored him, that's why
>>>> this mailing list exists, because companies will
>>>> ignore security issues
>>>> until it bites them in the ass to save a buck.
>>>>
>>>> People are way too obsessed with having
>>>> certifications that don't
>>>> actually teach practical intrusion techniques. If a
>>>> system is so fragile
>>>> that teenagers can take it down with minimal effort
>>>> then there is a
>>>> serious problem with the IT security industry.
>>>> Think about it how long
>>>> has sql injection been around? There is absolutely
>>>> no excuse for being
>>>> vulnerable to it. None what so ever. These kids are
>>>> showing people the
>>>> truth about the state of security online and that
>>>> is whats making people
>>>> afraid of them. They aren't writing 0 days every
>>>> week, they are using
>>>> vulnerabilities that are publicly available. Using
>>>> tools that are
>>>> publicly available, tools that were meant to be
>>>> used by the people
>>>> protecting the systems. Clearly the people in
>>>> charge of protecting these
>>>> system aren't using these tools to scan their
>>>> systems or else they would
>>>> have found the weaknesses first.
>>>>
>>>> The fact that government organizations and large
>>>> name companies and
>>>> government contractors fall prey to these types of
>>>> attacks just goes to
>>>> show the level of hypocrisy inherent to the
>>>> situation. Especially when
>>>> their solution to the problem is to just pass more
>>>> and more restrictive
>>>> laws (as if that's going to stop them). These kids
>>>> are showing people
>>>> that the emperor has no clothes and that's whats
>>>> making people angry,
>>>> they are putting someones paycheck in danger. Why
>>>> don't we solve the
>>>> problem by actually addressing the real problem and
>>>> fixing systems that
>>>> need to be fixed? Why not hire these kids with the
>>>> time and energy on
>>>> their hands to probe for these weaknesses on a
>>>> large scale? The ones
>>>> currently in the job slots to do this clearly
>>>> aren't doing it. I bet if
>>>> they started replacing these people with these kids
>>>> it would shake the
>>>> lethargy out of the rest of them and you would see
>>>> a general increase in
>>>> competence and security. Knowing that if you get
>>>> your network owned by a
>>>> teenager will not only get you fired, but replaced
>>>> with said teenager is
>>>> one hell of an incentive to make sure you get it right.
>>>>
>>>>
>>>> Yes they would have to be taught additional skills
>>>> to round out what
>>>> they know, but every job requires some level of
>>>> training and there are
>>>> quite a few workplaces that will help their
>>>> employees continue their
>>>> education because it benefits the company to do so.
>>>> This would be no
>>>> different except that the employees would be
>>>> younger, and younger people
>>>> do tend to learn faster so it would likely take
>>>> less time to teach these
>>>> kids the needed skills to round out what they
>>>> already know than it would
>>>> to teach someone older the same thing. It is the
>>>> same principal behind
>>>> teaching young children multiple languages, they
>>>> learn them better than
>>>> adults.
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter:
>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>> Because the ones in charge right now can't even seem to
>>> fire up sqlmap now and then to see if they are vuln. And
>>> if you really believe that they just do it for the lulz
>>> line...
>>>
>>>
>> Well that's what you get when you let profit margins dictate
>> security policy. You guys act pretty tough when you argue
>> with each other online but you can't stand up to some
>> corporate idiots? Sounds like this industry could benefit
>> from these kids even more since they are driving home the
>> points you all are supposed to be warning them about.
>>
>>
> Ok, obviously you don't actually care about information security.
> Enjoy kids owning your networks.
>
>
Yes and its the fault of people who feel too intimidated to stand up for
good policy. Thats *why* big companies are this way, your part of the
problem.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists