lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: johnpf at atnet.net.au (John) Subject: Security Industry Under Scrutiny: Part 3 sockz loves you wrote: >----- Original Message ----- >From: Silvio Cesare <silvio@....net.au> >Date: Fri, 6 Dec 2002 15:15:56 +1100 >To: sockz loves you <sockz@...il.com> >Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part 3 > > >>The presentations provided visibly show the source to "script kiddy" >>usage goes through a disclosure process.. The "script kiddies" are therefore >>the only adverseries you display. >> >> > >what others should i have included that were relative to the debate? i assumed >that if i was describing the flow of information between whitehats and script >kiddies, then i would not need to list any other adversaries because they would >have been outside the scope of the email. perhaps i was wrong? then again you >could mean here that fake-whitehats with fake-advisories are also kinds of >adversaries? i am not clear on this. > > Sockz, As of a very few years ago it was 'generally considered' that the greatest security risk that could involve monetory costs was from the disgruntled employee. I wouldn't be surprised if the potential cost of IIS/Lookout worms has now taken that 'leadership' position. But the capacity for a pissed-off employee to blow away a database or file system should not be trivialised. Look at how many root exploits rely on gaining a local shell! Just a simple (while true ; do mkdir a ; cd a ; done ) can incapacitate a server if done at the right time in the right filesystem. As well as annoy the sysadmin, and in turn cost money. Inode exhaustion is not nice lol. This is why aging hippies like myself were so annoying in our day - we realised that the biggest threat to any information system was through Social Engineering, _not_ through exploit code disclosure. If I can convince you that I am a Sun Engineer (Hey, I can make a business card that looks like I'm a Sun Engineer _very_ easily) and I have some 'secret patch we're not disclosing to the script kiddies' that I'm here to install on your box, and I have my Evil Friend waiting on the phone line on the card (we've managed to patch into the phone exchange in the not so secure tunnel under the xxxxxxxx building [Building not disclosed because there IS a tunnel I can get at Telstra's exchange with... regardless of the nature of this list I'm not going to tell, I got in trouble in my youth and I'm too old for that shit anymore.] so it's really hard to find us afterward) then I can do all sorts of bad things to your servers. I only need a shave to be completely unrecognisable. btw, was good to finally meet you in person last Sunday, I don't believe that the image you present on this list does you any justice whatsoever. There are depths to you that may not be apparent to those who only know you through your posts here Just a few things to consider, John
Powered by blists - more mailing lists