| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jan 2012 14:03:41 -0600
From: Laurelai <laurelai@...echan.org>
To: Elazar Broad <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
On 1/12/12 2:00 PM, Elazar Broad wrote:
> "Sounds like this industry could benefit from these kids even more
> since they are driving home the points you all are supposed to be
> warning them about."
>
> That's because these kids don't have mouths to feed and a paycheck to
> worry about. Ethics and ethos are all very nice when you have nothing
> to lose, all to gain and no one depending on you...
>
> On Thursday, January 12, 2012 at 4:43 AM, Laurelai
> <laurelai@...echan.org> wrote:
>
> On 1/12/12 3:34 AM, doc mombasa wrote:
>
> i dont know if you ever worked for a big corporate entity?
> like kovacs wrote its not about whether you can do it or not
> as an employee its more about if your manager allows you the
> time to do it
> pentesting doesnt change anything on the profits excel sheet
> we can agree it looks bad when shit happens but they usually
> dont think that far ahead
> i tried once reporting a very simple sql injection flaw to my
> manager and including a proposed fix which would take all of 5
> minutes to implement
> 18 months went by before that flaw was fixed because there was
> no profits in allocating resources to fix it
> and that webapp was the #1 money generator for that company
>
> Den 12. jan. 2012 10.29 skrev Laurelai <laurelai@...echan.org>:
>
> On 1/12/12 3:27 AM, doc mombasa wrote:
>
> just one question
> why should they hire the "skiddies" if most of them
> only know how to fire up sqlmap or whatever current
> app is hot right now?
> doesnt really seem like enough reason to hire anyone
> besides im not buying the whole "they do it because
> they are angry at society" plop
> ive been there.. they do it for the lulz
>
> Den 11. jan. 2012 06.18 skrev Laurelai
> <laurelai@...echan.org>:
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
> >> Don't piss off a talented adolescent with
> computer skills.
> > Amen! I love me some stylin' pwnage :)
> >
> > Whether they were skiddies or actual hackers,
> it's still amusing (and
> > frightening to some) that companies who really
> should know better, in
> > fact, don't.
> >
> And again, if companies hired these people, most
> of whom come from
> disadvantaged backgrounds and are self taught they
> wouldn't have as much
> a reason to be angry anymore. Most of them feel
> like they don't have any
> real opportunities for a career and they are often
> right. Microsoft
> hired some kid who hacked their network, it is a
> safe bet he isn't going
> to be causing any trouble anymore. Talking about
> the trust issue, who
> would you trust more the person who has all the
> certs and experience
> that told you your network was safe or the 14 year
> old who proved him
> wrong? We all know if that kid had approached
> microsoft with his exploit
> in a responsible manner they would have outright
> ignored him, that's why
> this mailing list exists, because companies will
> ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having
> certifications that don't
> actually teach practical intrusion techniques. If
> a system is so fragile
> that teenagers can take it down with minimal
> effort then there is a
> serious problem with the IT security industry.
> Think about it how long
> has sql injection been around? There is absolutely
> no excuse for being
> vulnerable to it. None what so ever. These kids
> are showing people the
> truth about the state of security online and that
> is whats making people
> afraid of them. They aren't writing 0 days every
> week, they are using
> vulnerabilities that are publicly available. Using
> tools that are
> publicly available, tools that were meant to be
> used by the people
> protecting the systems. Clearly the people in
> charge of protecting these
> system aren't using these tools to scan their
> systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large
> name companies and
> government contractors fall prey to these types of
> attacks just goes to
> show the level of hypocrisy inherent to the
> situation. Especially when
> their solution to the problem is to just pass more
> and more restrictive
> laws (as if that's going to stop them). These kids
> are showing people
> that the emperor has no clothes and that's whats
> making people angry,
> they are putting someones paycheck in danger. Why
> don't we solve the
> problem by actually addressing the real problem
> and fixing systems that
> need to be fixed? Why not hire these kids with the
> time and energy on
> their hands to probe for these weaknesses on a
> large scale? The ones
> currently in the job slots to do this clearly
> aren't doing it. I bet if
> they started replacing these people with these
> kids it would shake the
> lethargy out of the rest of them and you would see
> a general increase in
> competence and security. Knowing that if you get
> your network owned by a
> teenager will not only get you fired, but replaced
> with said teenager is
> one hell of an incentive to make sure you get it
> right.
>
>
> Yes they would have to be taught additional skills
> to round out what
> they know, but every job requires some level of
> training and there are
> quite a few workplaces that will help their
> employees continue their
> education because it benefits the company to do
> so. This would be no
> different except that the employees would be
> younger, and younger people
> do tend to learn faster so it would likely take
> less time to teach these
> kids the needed skills to round out what they
> already know than it would
> to teach someone older the same thing. It is the
> same principal behind
> teaching young children multiple languages, they
> learn them better than
> adults.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> Because the ones in charge right now can't even seem to
> fire up sqlmap now and then to see if they are vuln. And
> if you really believe that they just do it for the lulz
> line...
>
>
> Well that's what you get when you let profit margins dictate
> security policy. You guys act pretty tough when you argue with
> each other online but you can't stand up to some corporate idiots?
> Sounds like this industry could benefit from these kids even more
> since they are driving home the points you all are supposed to be
> warning them about.
>
>
Live your life like every day is your last :)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists