lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0410180715300.17446@gandalf.hugo.vanderkooij.org>
From: hvdkooij at vanderkooij.org (Hugo van der Kooij)
Subject: [SPAM] Re: Full-Disclosure Posts

On Sun, 17 Oct 2004, yahoo@...alhost wrote:

> On Sat, 16 Oct 2004 19:13:18 -0700, Etaoin Shrdlu <shrdlu@...ddrop.org> wrote:
> > Of course, anyone still using the term "hax0r" as though it were
> > meaningful might want to think further about what a "security
> > professional" might be
>
> A security professional is someone who cares more about money than the
> real issue of security at where they work. They don't go the extra
> mile for the interests of security at where they work, as they don't
> want to risk the job they're in.
>
> My view is corporations should not employ uni graduates and
> thirty-somethings to work in a security team. They very likely still
> can't open a can of beans and certainly have no idea about the real
> issues which face them. They follow company policy and go home at the
> end of the day, and switch off.
>
> The people who should be working at a security team should be
> volunteers who have the real interests of the company in mind, instead
> of money.
>
> The security professional as we know it (uni graduate and 30
> something) is not a hax0r, they are ph.d or whatever who are skilled
> on an academic level, and thats as far as it goes, which in my opinion
> isn't far enough.
>
> Being a security professional is ment to be about passion, strictly
> not money, in my humble opinion.
>
> Stop employing academics and get the hackers in to do the job
> properly, unpaid of course, at least to start off with, to make sure
> they're joining the company for the right reasons. ;-)

Companies do not care about security. The CEO only works with numbers. If
bad security losses 100k per month but tightening things up loses 105k per
month on productivity they take the 5k per month profit regardless of who
is doing security and leave it open.

It has very little to do with attitude on the security staff. If you want
to work corporate you need to understand corporate thinking.

Taking simple countermeasures to prevent damagae from things like a
Slammer Worm are laughed at untill they get hit and loose 2 days worth of
business. Then they start screaming to get it installed yesterday.

You do not have to like it but that is the sad state we are in.

Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij@...derkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ