| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jan 2012 15:00:49 -0500
From: "Elazar Broad" <elazar@...hmail.com>
To: "Laurelai" <laurelai@...echan.org>, "doc mombasa" <doc.mombasa@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
"Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about."
That's because these kids don't have mouths to feed and a paycheck to
worry about. Ethics and ethos are all very nice when you have nothing
to lose, all to gain and no one depending on you...
On Thursday, January 12, 2012 at 4:43 AM, Laurelai wrote:
On 1/12/12 3:34 AM, doc mombasa wrote: i dont know if
you ever worked for a big corporate entity? like kovacs wrote
its not about whether you can do it or not as an employee its
more about if your manager allows you the time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead i tried once reporting a very simple
sql injection flaw to my manager and including a proposed fix
which would take all of 5 minutes to implement 18 months
went by before that flaw was fixed because there was no
profits in allocating resources to fix it and that webapp was
the #1 money generator for that company
Den 12. jan. 2012 10.29 skrev Laurelai :
On 1/12/12 3:27 AM,
doc mombasa wrote:
just one question why should they hire the
"skiddies" if most of them only know how to fire
up sqlmap or whatever current app is hot right
now? doesnt really seem like enough reason to hire
anyone besides im not buying
the whole "they do it because they are angry at
society" plop ive been there.. they do it for the
lulz
Den 11.
jan. 2012 06.18 skrev Laurelai :
On 1/10/12 10:18 PM, Byron
Sonne wrote:
>> Don't piss off a talented adolescent
with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual
hackers, it's still amusing (and
> frightening to some) that companies who
really should know better, in
> fact, don't.
>
And again, if companies
hired these people, most of whom come from
disadvantaged backgrounds and are self taught
they wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are
often right. Microsoft
hired some kid who hacked their network, it is
a safe bet he isn't going
to be causing any trouble anymore. Talking
about the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14
year old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have
outright ignored him, that's why
this mailing list exists, because companies
will ignore security issues
until it bites them in the ass to save a buck.
People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques.
If a system is so fragile
that teenagers can take it down with minimal
effort then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is
absolutely no excuse for being
vulnerable to it. None what so ever. These kids
are showing people the
truth about the state of security online and
that is whats making people
afraid of them. They aren't writing 0 days
every week, they are using
vulnerabilities that are publicly available.
Using tools that are
publicly available, tools that were meant to be
used by the people
protecting the systems. Clearly the people in
charge of protecting these
system aren't using these tools to scan their
systems or else they would
have found the weaknesses first.
The fact that government organizations and
large name companies and
government contractors fall prey to these types
of attacks just goes to
show the level of hypocrisy inherent to the
situation. Especially when
their solution to the problem is to just pass
more and more restrictive
laws (as if that's going to stop them). These
kids are showing people
that the emperor has no clothes and that's
whats making people angry,
they are putting someones paycheck in danger.
Why don't we solve the
problem by actually addressing the real problem
and fixing systems that
need to be fixed? Why not hire these kids with
the time and energy on
their hands to probe for these weaknesses on a
large scale? The ones
currently in the job slots to do this clearly
aren't doing it. I bet if
they started replacing these people with these
kids it would shake the
lethargy out of the rest of them and you would
see a general increase in
competence and security. Knowing that if you
get your network owned by a
teenager will not only get you fired, but
replaced with said teenager is
one hell of an incentive to make sure you get
it right.
Yes they would have to be taught additional
skills to round out what
they know, but every job requires some level of
training and there are
quite a few workplaces that will help their
employees continue their
education because it benefits the company to do
so. This would be no
different except that the employees would be
younger, and younger people
do tend to learn faster so it would likely take
less time to teach these
kids the needed skills to round out what they
already know than it would
to teach someone older the same thing. It is
the same principal behind
teaching young children multiple languages,
they learn them better than
adults.
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
Because the
ones in charge right now can't even seem to fire up sqlmap
now and then to see if they are vuln. And if you really
believe that they just do it for the lulz line...
Well that's what you get when you let profit margins dictate
security policy. You guys act pretty tough when you argue with
each other online but you can't stand up to some corporate idiots?
Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists