lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E989917C9FF25240A201E888E83DF32F01E139E8@EXCHANGE5.corp.ptd.net>
From: keithp at corp.ptd.net (Keith Pachulski)
Subject: more security people =3D less security

bravo =)

-----Original Message-----
From: Uncle Scrotora Balzac [mailto:scrotora@...hmail.com]
Sent: Tuesday, February 03, 2004 3:22 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] more security people =3D less security


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Many hackers (who also view themselves as security experts) are pissed
off by the landslide of new people, products, and money entering into
the security space. You hear about how things are changing (for the worse),
 and posers, and blah, blah, blah. Hell, you even got hackers releasing
[nothing short of] press releases about why they're leaving the scene
because the scene is just too different nowadays.

Yes, it's true there are many more people becoming security "experts"
(using this term as loosely as possible) every day. And yes, it's also
true companies are running to the marketplace faster than Whitney Houston
to a line of coke. And yes, it's also true that corporations are driving
this trend by pouring obscene amounts of money into these companies without
understanding their halfass solutions. But, honestly, you really can't
ask for a better situation. If blackhats aren't *embracing* this trend,
 they're missing the boat.

Of course, the obvious benefit: The more people pulled into this space
from various other backgrounds, the lower the average security administrator's
level of knowledge becomes. This "dumbing down" happens for several reasons,
 but the most significant is the way in which these new generations of
security administrators are educated. Typically, they are forced into
these positions by employers that realize they desperately need security
staff. So, they move some random people into said positions. Not uncommonly,
 network admins or sys admins that sucked in their previous positions.
Now you've got some guy sitting there trying to figure out which way
is up, so where do they turn? To vendors. Be it a vendor of hardware/software
solutions, or a vendor like SANS (selling propaganda, errr, I mean, "education"
about open source products backed by commercial entities which SANS purportedly
invests in).

Since vendors are offering solutions criminally acute in focus (especially
compared to the visibility required to solve the "problems" said vendors
are trying to address), the vendor "educates" the willing client about
the threats the client faces and how the vendor can save the client's
world. Since many admins have been leaning about hackers and threats
from the perspective of vendors who are trying to make a sale -- typically
sales people or technical sales people like system/field engineers, like
the blind leading the blind -- they have no concept of the *true* threats
they need to be concerned about. It's not uncommon to hear people talking
about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against
Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote
access to a system. Good, keep focusing on these "attacks." (And YES.
ALL the other attacks these vendors focus on are just as lame as these
examples). Typical hackers these days need to worry about power surges
more than security tricks.

Although it grates on the nerves of everyone who knows better to see
all these pen testers running around selling Nessus reports, or hear
security admins spouting off illogically about how they use product XYZ
to accomplish all these lofty objectives... Well, it also gives you a
wide open map into the small areas they're actually looking into protecting,
 and the vast open areas they have no clue how to protect, much less
watch, or even what the hell to look for if someone even did notice an
irregularity.

So bring it on! We need *more* new security people and more new products
to create more confusion, ambiguity, and false senses of superiority.
Think security consoles only being released for Windows anymore doesn't
signify anything?! Come on out, the waters fine!

- - Uncle Scrot


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ