lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 8 Jan 2012 01:37:21 +0100
From: Ferenc Kovacs <tyra3l@...il.com>
To: Laurelai <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Sun, Jan 8, 2012 at 1:24 AM, Laurelai <laurelai@...echan.org> wrote:

> On 1/7/12 6:20 PM, Valdis.Kletnieks@...edu wrote:
>
>> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>>
>>> Because they pay the kids to own them in a safe manner to show that
>>>
>> It's not as simple as all that.  A good pen-tester needs more skills than
>> just
>> how to pwn a server.  You need some business smarts, and you need to be
>> *very*
>> careful about writing the rules of engagement (some pen tests that involve
>> physical attacks can literally get you shot at if you screw this part
>> up), and
>> then *sticking with them* (you find a major social engineering problem
>> while
>> doing a black-box test of some front-end servers, you better re-negotiate
>> those
>> rules of engagement before you do anything else).  Also, once a pen test
>> starts, you can't take your time and poke it with the 3 or 4 types of
>> attacks
>> that you're good at - you have 3 weeks starting at 8AM Monday to hit it
>> with
>> 37 different classes of attacks they're likely to see and another 61 types
>> of attacks they're not likely to see and aren't expecting.  And be
>> prepared to
>> work any one of those 94 from "looks like might be an issue" to something
>> you
>> can put in a report and say "You Have A Problem".
>>
>> Almost no company is stupid enough to hire a pen testing team without
>> that team
>> posting a good-sized performance bond in case of a screw-up taking out a
>> server, or a rogue pentester stealing the data. (ESPECIALLY in this case,
>> you
>> *already* caught them stealing the data once :)
>>
>> And the kids are going to land a $1M performance bond, how?
>>
>> (Hint - think this through.  Really good pentesters make *really* good
>> bucks.
>> If those kiddies had what it took to be good pentesters, they'd already be
>> making bucks as pentesters, not as kiddies)
>>
>>  their so called expertsd are full of shit, then they fire said experts
>>> and hire competent people saving time money and resources, try and
>>>
>> Doesn't scale, because there's not enough competent people out there.
>> There's
>> 140 million .coms, there aren't 140 million security experts out there.
>>
>> It's not a new idea - I've heard it every year or two since probably
>> before
>> most of the people on this list were born.  The fact that almost no
>> companies
>> actually *do* it, and that those hackers who have successfully crossed
>> over to
>> consulting are rare enough that you can name most of them, should tell you
>> something about how well it ends up working in practice.
>>
>>  Well enjoy your doomed industry then. Ill continue to take great
> pleasure as the so called experts get owned by teenagers.
>

imo public shaming(ie. owned by kiddies, usually they get bigger media
attention) can force companies to take security more seriously, but imo
hiring the kiddies isn't the solution.
even if he/she happens to be the "superstar", who given the chance would be
able to secure your infrastructure, but the industry is rotten mostly
because it-sec isn't as high priority as it should be.
it is an added-value, usually bolted-on top of the screwed up legacy
processes/softwares, and the higher-ups expect it to be bought by money
alone.
they would pay for the cert, they would pay for the hacker-proof seal, they
would pay for the insurance, and the decent looking it-security consulant
company, but they won't change the flawed processes, and the bad priorities.
of course many of them will get owned, lose a good chunk of money, some of
them even will go out of business, but until most of them can get away with
those broken model, they won't try to fix the underlying problem.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ