lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310810231601p1ee5330ya8dc881289e719f7@mail.gmail.com>
Date: Fri, 24 Oct 2008 00:01:23 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: DHS / US-CERT do we need them want them?

I'm not against anyone here, just I think and most people agree DHS
has been pretty pointless and ineffective in its goals. You can see
they mean well, but they do it all wrong. Basically, it seemed to be a
department which grouped existing or new departments together under
one umbrella. I think the point was to centralise them all into one
command and control coordination group called DHS. Did US-CERT do
well, what do they do? They look out for vulnerability's on the
mailing lists and act as a bridge between vendors and the interest of
the government. If the government have an interest in say a DNS
vulnerability, they will email vendors and say, you got to patch this,
we are putting pressure on you to patch. Also, the federal government
are rolling out DNSSEC to its domain name infrastructure. So,
basically, US-CERT seems to be an oversight posture, oversighting not
only their government interests, but over sighting businesses and
academia, to make sure their standards are upto scratch and making
sure they know what they need to know so that they can make a decision
which US-CERT will end up bullying them into doing with emails and
telephone calls. So I can see maybe US-CERT might have a reason to be
there, to oversight the rest of us and bully us with recommendations,
they force upon you if you don't take the primary polite hint at
updating something. Do we need US-CERT? Do we Need DHS? The truth is,
we could probably keep US-CERT, but generally they are just bullies
with the security community they over sight with, and if the DHS was
disbanded, then the US-CERT could still exist without the DHS
umbrella, although it might be better if US-CERT and DHS just go at
the same time. I agree with the idea of what they want to do, I just
don't like the way in which they do it. Their approach to protecting
the homeland is all wrong. US-CERT are bullies to the infosec
community, we shouldn't need to feel intimidated by them, they I feel
some vendors are in times like the DNS flaw when the government start
demanding things. Good night. The things that US-CERT do and
recommend, the vendors know about already, US-CERT are just like an
annoyance alarm bell in your ear you can't get rid of when you already
know what you need to know. So if US-CERT and DHS weren't around we
wouldn't be less off, we would be better off without them. I'm sure
they, US-CERT keep doing it to their own government departments as
well, emailing and phone calling them about things they already know
about. Lastly, their email alert system, it is slow, so slow at
telling people about things, they it just becomes a spam alert in your
inbox of old news, and that reflects what I was talking about in this
email about them sending spear targeted emails and phone calls to
vendors and government departments, which already have their security
teams taking care of issues and don't need the over sight and bully
boy annoyances that US-CERT seem to pose. The funny thing is, this
isn't even personal experience im talking about, as you know im not
part of the professional community, but I know what's going on because
I talk to people and I read the mailing lists and get the vibe that
this is what the US-CERT do in reality is bully boy people into doing
things and telling them things they already know, and demand things
are done. And in times of need, force people to work with each other
even if they don't really want to. Maybe the forcing people to
collaborate is a good thing at critical times, but you don't need a
whole US-CERT for that, it just takes a couple of independant folks to
do that, out there in the community when it becomes apparent when
action with multi-vendors, governments is required. Do we need, DHS,
no. Do we need to keep US-CERT, no because the skilled folks are
already there at each government department and vendor, they are more
upto speed than the DHS and US-CERT appear to be on security
vulnerabilities and what needs to be done. There is no need to pump
money into US-CERT which only tells people what they know already,
this is the case with individual end-users, vendors and government
departments, they don't see US-CERT/DHS that is needed, its just a
luxury. Its like driving a bentley, when i can still get to where i
want to go in a mini. The mini is smaller, more economic on fuel,
nippier round the bends in the cities, while the bentley is a big
heavy, fuel/money guzzler, slower but looks shinier on the outside,
but infact does the same thing as the mini. So better off with the
mini I say, unless you just are a show off and want to impress people
on the outside, when not really offering anything new on the inside
that the mini can't offer. And with the mini / bentley thing now in
your head, that is basically what it comes down to and explains the
situation well, why have a bentley, when all we want is a mini? Or
better off get a bus or a train and don't bother with any oversight
group that bullies people and offers nothing new to anyone that they
didn't know already. Another rant done and done, good night. Sorry
people who work for US-CERT, you are probably nice guys who mean well,
but nevermind you get my point. n3td3v. Take care everybody, we as
white hats should stick together, but just because I don't agree with
something a white hat does doesn't make me bad. People seem to think
if you're a white hat, you can't speak out about another white hat or
you will be called a bad person, no I think its ok to talk about other
white hats if another white hat doesn't agree with something. But
people like valdis will still call me names, but he is probably a
republican, so who cares. n3td3v is not a bad person im a good natured
person, maybe with shit social skills but who cares about it??? We
don't come great computer people by having a social life and going out
places, do we? Good night.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ