lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: jessevalentin at yahoo.com (Jesse Valentin)
Subject: RE: Open the doors to hell hire a hicker Full-Disclosure Posts


Hey there Jan,

 

First let me say that I understand what you’re trying to say here, but I don’t agree with the way you expressed it. You mention that the point of “hiring people who don’t know much” is to ensure that people are following “policy and procedure and comply with audit”.

 

You also mentioned that security methodologies can be maintained by “ordinary computer folk”.

 

I know that sometimes due to email... meanings can get misconstrued. Jan, maybe you were thinking one thing but it came out another way? 

 

Here is my point and tell me if you agree… first off and as we know security should be a lifecycle process and can be likened to an organic function in that it is always changing. You need to adjust your security measures to address ever changing threats. Consider a simple firewall rule base… sure you can set it up and forget about it, but chances are when the next exploit comes out that targets some authorized port, your current security stance becomes obsolete. An “ordinary computer person” is not going to have the skills to know how to research latest threats or how they need to adjust these security rules to provide the protection you need.

 

The same can be said of an Info Sec policy… this document needs to be revisited on a periodic basis to make sure that the rules it lays out are in accord with necessary security practices. If the person doesn’t know much in the way of security then this creates a liability for the company in which he is employed as the policy will not address needed areas. Imagine an engineer who doesn’t understand HIPAA requirements and allows people on his network to send out patient info in the clear. Sure.. this works from a networking and tech point of view, but from a security perspective it’s a total failure.

 

Security is another animal when you compare it with basic computer techs and engineers. Not that they are less talented… they just focus on a different discipline. The same way you wouldn’t send in a lawyer to do a triple bypass surgery, you can’t expect a computer tech or server admin to be able to address security needs if they haven’t been trained to do so.

 

Just some thoughts.

 

Jesse



On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M
wrote:
> Oh yeah and we can trust you bozos not to put in backdoors, sploits and other
> great modes of entry yeah right. 8->, Hire the burgler to secure your home,
> yeah right? Doh!

Just because J.Random Hacker starts out as an immature 17 year old
script kiddie breaking into random systems doesn't mean (assume he
avoids prison) he can't grow up to become a mature "security
professional" who knows how to follow a policy procedure, comply with
audit, and work a 9-to-5 job.

Scratch a thirty-something lead InfoSec consultant from any major
consulting firm (including the big four), and chances are you'll find
a "31337 Hax0r" from the 90's.

And this is excluding the obvious L0pht->@Stake->Symantec progression.
People mature over time, grow into a more "professional" attitude
without losing the inventiveness and insight that makes them
effective.


> Sheessh what a stupid idea?
> 
> The whole point of hiring people who don't know much is that they follow
> a policy procedure and comply with audit, I have yet to see a H&ck3r follow any
> procedure. So how do you control anything such as policy etc, the wild west again?
> You hire professional security people to maintain control, not chaos, and find methodologies
> procedures and products that are the most effective, test, re-test, remediate, deploy and defend.
> And that can be maintained and operated by ordinary computer folk, who want to do an honest days
> work and collect their rightful pay, but maybe you never thought of that!

Sure, bean counters have their place too.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

		
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041020/38cedc0c/attachment.html

Powered by blists - more mailing lists