[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



On 1/12/12 3:27 AM, doc mombasa wrote:
just one question
why should they hire the "skiddies" if most of them only know how to fire up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai <laurelai@xxxxxxxxxxxx <mailto:laurelai@xxxxxxxxxxxx>>:

    On 1/10/12 10:18 PM, Byron Sonne wrote:
    >> Don't piss off a talented adolescent with computer skills.
    > Amen! I love me some stylin' pwnage :)
    >
    > Whether they were skiddies or actual hackers, it's still amusing
    (and
    > frightening to some) that companies who really should know
    better, in
    > fact, don't.
    >
    And again, if companies hired these people, most of whom come from
    disadvantaged backgrounds and are self taught they wouldn't have
    as much
    a reason to be angry anymore. Most of them feel like they don't
    have any
    real opportunities for a career and they are often right. Microsoft
    hired some kid who hacked their network, it is a safe bet he isn't
    going
    to be causing any trouble anymore. Talking about the trust issue, who
    would you trust more the person who has all the certs and experience
    that told you your network was safe or the 14 year old who proved him
    wrong? We all know if that kid had approached microsoft with his
    exploit
    in a responsible manner they would have outright ignored him,
    that's why
    this mailing list exists, because companies will ignore security
    issues
    until it bites them in the ass to save a buck.

    People are way too obsessed with having certifications that don't
    actually teach practical intrusion techniques. If a system is so
    fragile
    that teenagers can take it down with minimal effort then there is a
    serious problem with the IT security industry. Think about it how long
    has sql injection been around? There is absolutely no excuse for being
    vulnerable to it. None what so ever. These kids are showing people the
    truth about the state of security online and that is whats making
    people
    afraid of them. They aren't writing 0 days every week, they are using
    vulnerabilities that are publicly available. Using tools that are
    publicly available, tools that were meant to be used by the people
    protecting the systems. Clearly the people in charge of protecting
    these
    system aren't using these tools to scan their systems or else they
    would
    have found the weaknesses first.

    The fact that government organizations and large name companies and
    government contractors fall prey to these types of attacks just
    goes to
    show the level of hypocrisy inherent to the situation. Especially when
    their solution to the problem is to just pass more and more
    restrictive
    laws (as if that's going to stop them). These kids are showing people
    that the emperor has no clothes and that's whats making people angry,
    they are putting someones paycheck in danger. Why don't we solve the
    problem by actually addressing the real problem and fixing systems
    that
    need to be fixed? Why not hire these kids with the time and energy on
    their hands to probe for these weaknesses on a large scale? The ones
    currently in the job slots to do this clearly aren't doing it.  I
    bet if
    they started replacing these people with these kids it would shake the
    lethargy out of the rest of them and you would see a general
    increase in
    competence and security. Knowing that if you get your network
    owned by a
    teenager will not only get you fired, but replaced with said
    teenager is
    one hell of an incentive to make sure you get it right.


    Yes they would have to be taught additional skills to round out what
    they know, but every job requires some level of training and there are
    quite a few workplaces that will help their employees continue their
    education because it benefits the company to do so. This would be no
    different except that the employees would be younger, and younger
    people
    do tend to learn faster so it would likely take less time to teach
    these
    kids the needed skills to round out what they already know than it
    would
    to teach someone older the same thing. It is the same principal behind
    teaching young children multiple languages, they learn them better
    than
    adults.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


Because the ones in charge right now can't even seem to fire up sqlmap now and then to see if they are vuln. And if you really believe that they just do it for the lulz line...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/