| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jan 2012 03:52:13 -0600
From: Laurelai <laurelai@...echan.org>
To: doc mombasa <doc.mombasa@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:47 AM, doc mombasa wrote:
> ok obviously you never worked for a big corporate entity :)
> sure standing up to them is fine
> after shouting about the bug for 4 months i thought bah why bother its
> their asses not mine
> just going in and fixing a bug without the mandate is usually not a
> good idea (if you want to keep your job so you can pay your bills that
> is..)
>
> Den 12. jan. 2012 10.41 skrev Laurelai <laurelai@...echan.org
> <mailto:laurelai@...echan.org>>:
>
> On 1/12/12 3:34 AM, doc mombasa wrote:
>> i dont know if you ever worked for a big corporate entity?
>> like kovacs wrote its not about whether you can do it or not as
>> an employee its more about if your manager allows you the time to
>> do it
>> pentesting doesnt change anything on the profits excel sheet
>> we can agree it looks bad when shit happens but they usually dont
>> think that far ahead
>> i tried once reporting a very simple sql injection flaw to my
>> manager and including a proposed fix which would take all of 5
>> minutes to implement
>> 18 months went by before that flaw was fixed because there was no
>> profits in allocating resources to fix it
>> and that webapp was the #1 money generator for that company
>>
>> Den 12. jan. 2012 10.29 skrev Laurelai <laurelai@...echan.org
>> <mailto:laurelai@...echan.org>>:
>>
>> On 1/12/12 3:27 AM, doc mombasa wrote:
>>> just one question
>>> why should they hire the "skiddies" if most of them only
>>> know how to fire up sqlmap or whatever current app is hot
>>> right now?
>>> doesnt really seem like enough reason to hire anyone
>>> besides im not buying the whole "they do it because they are
>>> angry at society" plop
>>> ive been there.. they do it for the lulz
>>>
>>> Den 11. jan. 2012 06.18 skrev Laurelai
>>> <laurelai@...echan.org <mailto:laurelai@...echan.org>>:
>>>
>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> >> Don't piss off a talented adolescent with computer
>>> skills.
>>> > Amen! I love me some stylin' pwnage :)
>>> >
>>> > Whether they were skiddies or actual hackers, it's
>>> still amusing (and
>>> > frightening to some) that companies who really should
>>> know better, in
>>> > fact, don't.
>>> >
>>> And again, if companies hired these people, most of whom
>>> come from
>>> disadvantaged backgrounds and are self taught they
>>> wouldn't have as much
>>> a reason to be angry anymore. Most of them feel like
>>> they don't have any
>>> real opportunities for a career and they are often
>>> right. Microsoft
>>> hired some kid who hacked their network, it is a safe
>>> bet he isn't going
>>> to be causing any trouble anymore. Talking about the
>>> trust issue, who
>>> would you trust more the person who has all the certs
>>> and experience
>>> that told you your network was safe or the 14 year old
>>> who proved him
>>> wrong? We all know if that kid had approached microsoft
>>> with his exploit
>>> in a responsible manner they would have outright ignored
>>> him, that's why
>>> this mailing list exists, because companies will ignore
>>> security issues
>>> until it bites them in the ass to save a buck.
>>>
>>> People are way too obsessed with having certifications
>>> that don't
>>> actually teach practical intrusion techniques. If a
>>> system is so fragile
>>> that teenagers can take it down with minimal effort then
>>> there is a
>>> serious problem with the IT security industry. Think
>>> about it how long
>>> has sql injection been around? There is absolutely no
>>> excuse for being
>>> vulnerable to it. None what so ever. These kids are
>>> showing people the
>>> truth about the state of security online and that is
>>> whats making people
>>> afraid of them. They aren't writing 0 days every week,
>>> they are using
>>> vulnerabilities that are publicly available. Using tools
>>> that are
>>> publicly available, tools that were meant to be used by
>>> the people
>>> protecting the systems. Clearly the people in charge of
>>> protecting these
>>> system aren't using these tools to scan their systems or
>>> else they would
>>> have found the weaknesses first.
>>>
>>> The fact that government organizations and large name
>>> companies and
>>> government contractors fall prey to these types of
>>> attacks just goes to
>>> show the level of hypocrisy inherent to the situation.
>>> Especially when
>>> their solution to the problem is to just pass more and
>>> more restrictive
>>> laws (as if that's going to stop them). These kids are
>>> showing people
>>> that the emperor has no clothes and that's whats making
>>> people angry,
>>> they are putting someones paycheck in danger. Why don't
>>> we solve the
>>> problem by actually addressing the real problem and
>>> fixing systems that
>>> need to be fixed? Why not hire these kids with the time
>>> and energy on
>>> their hands to probe for these weaknesses on a large
>>> scale? The ones
>>> currently in the job slots to do this clearly aren't
>>> doing it. I bet if
>>> they started replacing these people with these kids it
>>> would shake the
>>> lethargy out of the rest of them and you would see a
>>> general increase in
>>> competence and security. Knowing that if you get your
>>> network owned by a
>>> teenager will not only get you fired, but replaced with
>>> said teenager is
>>> one hell of an incentive to make sure you get it right.
>>>
>>>
>>> Yes they would have to be taught additional skills to
>>> round out what
>>> they know, but every job requires some level of training
>>> and there are
>>> quite a few workplaces that will help their employees
>>> continue their
>>> education because it benefits the company to do so. This
>>> would be no
>>> different except that the employees would be younger,
>>> and younger people
>>> do tend to learn faster so it would likely take less
>>> time to teach these
>>> kids the needed skills to round out what they already
>>> know than it would
>>> to teach someone older the same thing. It is the same
>>> principal behind
>>> teaching young children multiple languages, they learn
>>> them better than
>>> adults.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>> Because the ones in charge right now can't even seem to fire
>> up sqlmap now and then to see if they are vuln. And if you
>> really believe that they just do it for the lulz line...
>>
>>
> Well that's what you get when you let profit margins dictate
> security policy. You guys act pretty tough when you argue with
> each other online but you can't stand up to some corporate idiots?
> Sounds like this industry could benefit from these kids even more
> since they are driving home the points you all are supposed to be
> warning them about.
>
>
Ok, obviously you don't actually care about information security. Enjoy
kids owning your networks.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists