[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still amusing (and
> frightening to some) that companies who really should know better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come from 
disadvantaged backgrounds and are self taught they wouldn't have as much 
a reason to be angry anymore. Most of them feel like they don't have any 
real opportunities for a career and they are often right. Microsoft 
hired some kid who hacked their network, it is a safe bet he isn't going 
to be causing any trouble anymore. Talking about the trust issue, who 
would you trust more the person who has all the certs and experience 
that told you your network was safe or the 14 year old who proved him 
wrong? We all know if that kid had approached microsoft with his exploit 
in a responsible manner they would have outright ignored him, that's why 
this mailing list exists, because companies will ignore security issues 
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't 
actually teach practical intrusion techniques. If a system is so fragile 
that teenagers can take it down with minimal effort then there is a 
serious problem with the IT security industry. Think about it how long 
has sql injection been around? There is absolutely no excuse for being 
vulnerable to it. None what so ever. These kids are showing people the 
truth about the state of security online and that is whats making people 
afraid of them. They aren't writing 0 days every week, they are using 
vulnerabilities that are publicly available. Using tools that are 
publicly available, tools that were meant to be used by the people 
protecting the systems. Clearly the people in charge of protecting these 
system aren't using these tools to scan their systems or else they would 
have found the weaknesses first.

The fact that government organizations and large name companies and 
government contractors fall prey to these types of attacks just goes to 
show the level of hypocrisy inherent to the situation. Especially when 
their solution to the problem is to just pass more and more restrictive 
laws (as if that's going to stop them). These kids are showing people 
that the emperor has no clothes and that's whats making people angry, 
they are putting someones paycheck in danger. Why don't we solve the 
problem by actually addressing the real problem and fixing systems that 
need to be fixed? Why not hire these kids with the time and energy on 
their hands to probe for these weaknesses on a large scale? The ones 
currently in the job slots to do this clearly aren't doing it.  I bet if 
they started replacing these people with these kids it would shake the 
lethargy out of the rest of them and you would see a general increase in 
competence and security. Knowing that if you get your network owned by a 
teenager will not only get you fired, but replaced with said teenager is 
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what 
they know, but every job requires some level of training and there are 
quite a few workplaces that will help their employees continue their 
education because it benefits the company to do so. This would be no 
different except that the employees would be younger, and younger people 
do tend to learn faster so it would likely take less time to teach these 
kids the needed skills to round out what they already know than it would 
to teach someone older the same thing. It is the same principal behind 
teaching young children multiple languages, they learn them better than 
adults.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/