lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200402041700.i14H07aR069657@mailserver3.hushmail.com>
From: macmanus at hushmail.com (macmanus@...hmail.com)
Subject: more security people =3D less security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Too bad it won't last - once all the newbies get CISSPs, we'll be screwed!
Thanks Uncle Scrot, best thing I've seen on this list in a while!

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Many hackers (who also view themselves as security experts) are pissed
> off by the landslide of new people, products, and money entering into
> the security space. You hear about how things are changing (for the
worse),
>  and posers, and blah, blah, blah. Hell, you even got hackers releasing
> [nothing short of] press releases about why they're leaving the scene
> because the scene is just too different nowadays.
>
> Yes, it's true there are many more people becoming security "experts"
> (using this term as loosely as possible) every day. And yes, it's also
> true companies are running to the marketplace faster than Whitney Houston
> to a line of coke. And yes, it's also true that corporations are driving
> this trend by pouring obscene amounts of money into these companies
without
> understanding their halfass solutions. But, honestly, you really can't
> ask for a better situation. If blackhats aren't *embracing* this trend,

>  they're missing the boat.
>
> Of course, the obvious benefit: The more people pulled into this space
> from various other backgrounds, the lower the average security
administrator's
> level of knowledge becomes. This "dumbing down" happens for several
reasons,
>  but the most significant is the way in which these new generations
of
> security administrators are educated. Typically, they are forced into
> these positions by employers that realize they desperately need security
> staff. So, they move some random people into said positions. Not
uncommonly,
>  network admins or sys admins that sucked in their previous positions.
> Now you've got some guy sitting there trying to figure out which way
> is up, so where do they turn? To vendors. Be it a vendor of
hardware/software
> solutions, or a vendor like SANS (selling propaganda, errr, I mean,

"education"
> about open source products backed by commercial entities which SANS
purportedly
> invests in).
>
> Since vendors are offering solutions criminally acute in focus (especially
> compared to the visibility required to solve the "problems" said vendors
> are trying to address), the vendor "educates" the willing client about
> the threats the client faces and how the vendor can save the client's
> world. Since many admins have been leaning about hackers and threats
> from the perspective of vendors who are trying to make a sale -- typically
> sales people or technical sales people like system/field engineers,
 like
> the blind leading the blind -- they have no concept of the *true* threats
> they need to be concerned about. It's not uncommon to hear people talking
> about Teardrop, Jolt, and Ping of Death attacks. F'in DoS attacks against
> Windows 3.1, Win 95, etc! Not to mention, nothing that results in remote
> access to a system. Good, keep focusing on these "attacks." (And YES.
> ALL the other attacks these vendors focus on are just as lame as these
> examples). Typical hackers these days need to worry about power surges
> more than security tricks.
>
> Although it grates on the nerves of everyone who knows better to see
> all these pen testers running around selling Nessus reports, or hear
> security admins spouting off illogically about how they use product
XYZ
> to accomplish all these lofty objectives... Well, it also gives you
a
> wide open map into the small areas they're actually looking into
protecting,
>  and the vast open areas they have no clue how to protect, much less
> watch, or even what the hell to look for if someone even did notice
an
> irregularity.
>
> So bring it on! We need *more* new security people and more new products
> to create more confusion, ambiguity, and false senses of superiority.
> Think security consoles only being released for Windows anymore doesn't
> signify anything?! Come on out, the waters fine!
>
> - - Uncle Scrot
>
>
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkAhJfcACgkQMqw+bEM+0IwBrgCdHjPTTam03ci3y2Rcb1e5KjXoWf0A
oLJsz34n73K5RN66mzz1iu3WPeL/
=smcp
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ