| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Jan 2012 16:53:57 -0500 From: Benjamin Kreuter <ben.kreuter@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Rate Stratfor's Incident Response -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 14 Jan 2012 14:33:23 -0700 Sanguinarious Rose <SanguineRose@...ultusTerra.com> wrote: > On the kiddies, I can't see the advantage of hiring a professional > sqlmap and havij operator. For a full-time position with benefits, no, there is no real advantage. However, if your own team cannot even do that much, then perhaps the kiddie should be be hired on a temporary or contract basis, to give a report of what sort of common vulnerabilities can be exploited. > > I always report the vulns that I stumble upon (from my own email > > and such) and while I'm doing this in good faith, I would never > > dare to actively exploit that vuln for better proof, because if > > they sue me, they would win. So I try to keep it that way, that I > > cannot be held responsible, because I didn't broke any law. > > I do agree and can't see the real need for someone to actually prove > it like that which is rather over the line in being illegal. It also > requires more work then is even required to report it. People are very bad with understanding hypothetical problems. As an example, my alma mater would (and perhaps still does) routinely send important, official emails about financial aid, tuition, etc. with a format like this: [stuff about finances that needs to be taken care of quickly] Click here to do [something important]: [link] There was no method available to verify that these emails actually came from the university's administration -- no digital signatures, nothing in the mail system that even checked that the message originated from a university IP address, nothing. I tried to bring this up with them, and even gave a live demonstration of spoofing an email address for the non-technical folks. It was not until an actually phishing attack was detected that any action was taken. Telling someone they have a vulnerable system will only affect change if they already take security seriously. Since most organizations still do not view security as central to the design of their systems, you need to really drive the point home with evidence. This means actually attacking the system, or at the very least giving some demonstration that the vulnerability is real and can really be attacked. - -- Ben - -- Benjamin R Kreuter UVA Computer Science brk7bx@...ginia.edu - -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJPEfl6AAoJEOV0+MnZK9ijV6sP/imaxMqZMoKFsY1ulSNiE9MN U/B3j90iSleznY184HP8Fdbs6iKHOemKXsG4t6PXetYDICv+OYpQxtGV8Gt8d8GG SG7eXuZqxbIMPcBS9Ozypt4V/VfXFAV4viyPyITphat4DPYs68aYQH36ENzD/HVF OIwfWAu05CsQd3p5tgAoWo7KYUB0XLtKSqe648OWPvM5UaX0yfb9qSryrmWEjxxI P3nOwodBcQDX1G7BwikRjrhTs98+Umczv6ijfXtdafv50/wurONcEsJC1SiJmqzv 6ZSp87jXxZWXgiJAqliSb9aXfZOj7xF1MUbj0oNVbPmx/uHStADIRxDM17pNm1Nf Doc0Ta+JUho4pDH40S+OB4PjzxeQEEcLmAUjqaPQgQ268DwRxi1iTAsyoYqdcJJL V78Db5hMrywWAeNEz7wjHDhEJmtmtnkcnxZEhqCx1AtSJIeHgqVKUY3TQrVhdBz/ 4siM5cOSBaLmxvNl43MJSbwtDaILF+UhCKWh86rV5GLCD9x8jKaT5NI1DXFA6BFk NObJeHIPlu/WTYKGOmRuqAkvet0ESYWct0XFMsj4Eugafo5jPqmRb1ASBICvzB5o xr79LueVYFy2ft7cAPyU2aSwl1WAFlEDLVDoe4FbNUXziYdHenDHmqJxjbDdK3Ul Zsryhbvmo3zpap+U8jpi =rugN -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists