lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: johnpf at atnet.net.au (John)
Subject: Security Industry Under Scrutiny: Part 3

sockz loves you wrote:

>----- Original Message -----
>From: Silvio Cesare <silvio@....net.au>
>Date: Fri, 6 Dec 2002 15:15:56 +1100
>To: sockz loves you <sockz@...il.com>
>Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part 3
>  
>
>>The presentations provided visibly show the source to "script kiddy"
>>usage goes through a disclosure process..  The "script kiddies" are therefore
>>the only adverseries you display.
>>    
>>
>
>what others should i have included that were relative to the debate?  i assumed
>that if i was describing the flow of information between whitehats and script
>kiddies, then i would not need to list any other adversaries because they would
>have been outside the scope of the email.  perhaps i was wrong?  then again you
>could mean here that fake-whitehats with fake-advisories are also kinds of
>adversaries?  i am not clear on this.
>  
>

Sockz,

As of a very few years ago it was 'generally considered' that the 
greatest security risk that could involve monetory costs was from the 
disgruntled employee. I wouldn't be surprised if the potential cost of 
IIS/Lookout worms has now taken that 'leadership' position. But the 
capacity for a pissed-off employee to blow away a database or file 
system should not be trivialised. Look at how many root exploits rely on 
gaining a local shell!

Just a simple (while true ; do mkdir a ; cd a ; done ) can incapacitate 
a server if done at the right time in the right filesystem. As well as 
annoy the sysadmin, and in turn cost money. Inode exhaustion is not nice 
lol. This is why aging hippies like myself were so annoying in our day - 
we realised that the biggest threat to any information system was 
through Social Engineering, _not_ through exploit code disclosure.

If I can convince you that I am a Sun Engineer (Hey, I can make a 
business card that looks like I'm a Sun Engineer _very_ easily) and I 
have some 'secret patch we're not disclosing to the script kiddies' that 
I'm here to install on your box, and I have my Evil Friend waiting on 
the phone line on the card (we've managed to patch into the phone 
exchange in the not so secure tunnel under the xxxxxxxx building 
[Building not disclosed because there IS a tunnel I can get at Telstra's 
exchange with... regardless of the nature of this list I'm not going to 
tell, I got in trouble in my youth and I'm too old for that shit 
anymore.] so it's really hard to find us afterward) then I can do all 
sorts of bad things to your servers. I only need a shave to be 
completely unrecognisable.

btw, was good to finally meet you in person last Sunday, I don't believe 
that the image you present on this list does you any justice whatsoever. 
There are depths to you that may not be apparent to those who only know 
you through your posts here


Just a few things to consider,

John



Powered by blists - more mailing lists