lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Jan 2012 09:21:58 -0800
From: Ian Hayes <cthulhucalling@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

On Wed, Jan 11, 2012 at 9:57 AM, Benjamin Kreuter <ben.kreuter@...il.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Tue, 10 Jan 2012 21:39:07 -0800
> Ian Hayes <cthulhucalling@...il.com> wrote:
>
>> On Tue, Jan 10, 2012 at 9:18 PM, Laurelai <laurelai@...echan.org>
>> wrote:
>> > On 1/10/12 10:18 PM, Byron Sonne wrote:
>> >>> Don't piss off a talented adolescent with computer skills.
>> >> Amen! I love me some stylin' pwnage :)
>> >>
>> >> Whether they were skiddies or actual hackers, it's still amusing
>> >> (and frightening to some) that companies who really should know
>> >> better, in fact, don't.
>> >>
>> > And again, if companies hired these people, most of whom come from
>> > disadvantaged backgrounds and are self taught they wouldn't have as
>> > much a reason to be angry anymore. Most of them feel like they
>> > don't have any real opportunities for a career and they are often
>> > right.
>>
>> [citation needed]
>>
>> > Microsoft hired some kid who hacked their network, it is a safe bet
>> > he isn't going to be causing any trouble anymore.
>>
>> Are you proposing that we reward all such behavior with jobs? I've
>> always wanted to be a firefighter. Forget resumes, job applications
>> and interviews, I'm going to set people's houses on fire.
>
> No, it is more like you see a house on fire, call 911, then clear the
> road so that firefighters can get to the house.  You know, someone who
> is helping the professionals do their job?

Yes. But by Larueli's logic, since I know how to use a Bic lighter,
I'm infinitely more qualified that a trained firefighter. By setting
fire to other people's houses, I'm announcing my intention to join
their ranks, and deserve a job at the nearest station. Nevermind, that
20 people died and hundreds of thousands of dollars of property
damage- if the firemen were true professionals, they would have made
the houses completely fireproof a long time ago, or at the very least
responded and put out the fire before any real damage was done.

Plus, I have a Zippo, which makes me uber-leet.

>> By your
>> logic, an arsonist is not only the best person to combat other
>> arsonists, but due to his obviously unique insight into the nature of
>> fire, simply must know how best to fight a fire as opposed to someone
>> who went to school for years to learn the trade.
>
> Unless you are going to give me a proof that no attack on my network
> could be successful, you need people who can find their way through the
> cracks to evaluate the efficacy of your security system.  If the people
> you already hired to maintain your security are not able to identify
> threats and design systems that are resilient to those threats, then
> you need to hire someone else.  A security team will benefit from
> having someone poke holes in their design.

Anyone who says "you are secure, you are hacker-proof" should be shown
the door. But this is reality. Companies don't WANT to know that the
Emperor is naked. All they want is to fill in the checkbox that says
that they did their due diligence, so they pass their annual audit. If
holes are found, now they have to spend time, money and effort fixing
them, or they lose their insurance/merchant status/some kind of
accreditation. That's why most organizations are happy with some guy
who charges $500/hr to run a Nessus scan and walk out the door. He had
a goatee, and ate all of our donuts, so he must have been a real pro!

Once these businesses start asking for real security professionals and
real assessments, these "white hat" versions of script kiddies will
get weeded out.

>> > Talking about the trust issue, who
>> > would you trust more the person who has all the certs and experience
>> > that told you your network was safe or the 14 year old who proved
>> > him wrong?
>>
>> This is asinine. WHY would I want to hire someone for a position of
>> trust that just committed a crime, or at the very least acted in an
>> unethical manner?
>
> The problem is that we have criminalized too much here.  If some 14
> year old comes to you and hands you supposedly secret documents, he is
> behaving very ethically -- he is telling you that you have a
> vulnerability, rather than simply trying to sell your secrets to a
> competitor.  That sounds like a person who can be trusted to work for
> you -- someone who could have easily betrayed you, but did not, and who
> knew when and how to do the right thing.

One right does not erase a wrong. Strip away the "robbed from the
rich, gave to the poor" mythos, Robin Hood was still a thief, robber
and murderer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ