lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <99529.1326293077@turing-police.cc.vt.edu>
Date: Wed, 11 Jan 2012 09:44:37 -0500
From: Valdis.Kletnieks@...edu
To: Laurelai <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said:

> If you guys cant scan for basic sql injection and these kids can then
> theres a real problem, thats my point here.

That may or may not be true.  Doesn't mean you have the right solution.
Also, you seem to keeo forgetting that this is an asymmetric problem.

The security guy has to scan *every single* entry point of *every single* app
for an SQL injection, which could take a while for a large company.  They are usually
limited in how much time they have (two to four weeks, usually).  And then scan
for *every other* thing on the OWASP Top 10.

One script kiddie gets lucky and finds one hole, they get their name in the news.

> As the ancient proverb says "Set a thief to catch a thief"

The fact it's a proverb doesn't make it correct or useful in today's world.

http://www.answers.com/topic/set-a-thief-to-catch-a-thief

Maybe in 1665 it was the best way to do it.  I'd certainly hope that today with
modern techniques like fingerprints and DNA and surveillance cameras, a
detective is better at chatching thieves than another thief would be.

Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he
knows how to lift the prints off said lock after somebody else did it.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ