lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG+vHKLRSqszyyUm2k-rUHqak_5s3fNbG8jWNgOE5gG-w2QDxg@mail.gmail.com>
Date: Mon, 9 Jan 2012 20:00:11 +0100
From: "J. von Balzac" <jhm.balzac@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

> Most of the kids are skript kiddies, and don't really understand the *defense*
> end of the security business very well.  Sure, some may be better than skript
> kiddies, and may be *incredible* at finding a memory overlay or an SQL
> injection, but do they know how to *secure* against *everything*?
>
> Does that kid know anything about "continuity of operations"? How to negotiate
> with network providers to guarantee diverse cable paths?  How to set up proper
> audit trails so they can figure out what happened after the fact? How to deal
> with physical security issues (how do you know the guy at the door works for
> Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
> evidence" order?  How to secure systems against insider threats and
> embezzlement (still a big problem, even if hackers get more news time)? How to
> ensure proper backups get done (this can be very non-trivial if you have
> multiple petabytes of storage, and need to do point-in-time recoveries)? How to
> do all the other things involved in actually making a data processing facility
> *secure*?

Warning: my message is about semantics.

Valdis you make me curious - how do you know that most are kids, and
script kiddies? The label 'script kiddies' has been used for over 20
years and well, kids do grow old... aren't the script kiddies really
"script men" these days? The label "script kiddie" tends to downplay
their existence. It has a tone of "strong security officers, men of
renown, men with beards" who look down on those petty script kiddies
from their high places of arcane knowledge possessed by a mere few.

Isn't it more likely that the people who massively pwned Stratfor are
indeed mature and serious? It's easy to establish that "the lulzboat
people" for lack of a better term, are more mature than the
technicians at Stratfor will ever be. Better to call them "security
kiddies", I can understand that.

Of course it's common to refer to script kiddies in mailing lists and
to tech savvy people. As I'm not a pro I wonder if you guys (the
professional pen testers) refer to these people as script kiddies when
you talk with your clients.

Maybe 'penners' would be a better word, because even the word 'hacker'
is too broad. I can't stand it when 'laymen' refer to 'hackers' on
every occasion.

Jan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ