[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
- To: Laurelai <laurelai@xxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
- From: doc mombasa <doc.mombasa@xxxxxxxxx>
- Date: Thu, 12 Jan 2012 10:47:04 +0100
ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its
their asses not mine
just going in and fixing a bug without the mandate is usually not a good
idea (if you want to keep your job so you can pay your bills that is..)
Den 12. jan. 2012 10.41 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
> On 1/12/12 3:34 AM, doc mombasa wrote:
>
> i dont know if you ever worked for a big corporate entity?
> like kovacs wrote its not about whether you can do it or not as an
> employee its more about if your manager allows you the time to do it
> pentesting doesnt change anything on the profits excel sheet
> we can agree it looks bad when shit happens but they usually dont think
> that far ahead
> i tried once reporting a very simple sql injection flaw to my manager and
> including a proposed fix which would take all of 5 minutes to implement
> 18 months went by before that flaw was fixed because there was no profits
> in allocating resources to fix it
> and that webapp was the #1 money generator for that company
>
> Den 12. jan. 2012 10.29 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>
>> On 1/12/12 3:27 AM, doc mombasa wrote:
>>
>> just one question
>> why should they hire the "skiddies" if most of them only know how to fire
>> up sqlmap or whatever current app is hot right now?
>> doesnt really seem like enough reason to hire anyone
>> besides im not buying the whole "they do it because they are angry at
>> society" plop
>> ive been there.. they do it for the lulz
>>
>>
>> Den 11. jan. 2012 06.18 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>>
>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> >> Don't piss off a talented adolescent with computer skills.
>>> > Amen! I love me some stylin' pwnage :)
>>> >
>>> > Whether they were skiddies or actual hackers, it's still amusing (and
>>> > frightening to some) that companies who really should know better, in
>>> > fact, don't.
>>> >
>>> And again, if companies hired these people, most of whom come from
>>> disadvantaged backgrounds and are self taught they wouldn't have as much
>>> a reason to be angry anymore. Most of them feel like they don't have any
>>> real opportunities for a career and they are often right. Microsoft
>>> hired some kid who hacked their network, it is a safe bet he isn't going
>>> to be causing any trouble anymore. Talking about the trust issue, who
>>> would you trust more the person who has all the certs and experience
>>> that told you your network was safe or the 14 year old who proved him
>>> wrong? We all know if that kid had approached microsoft with his exploit
>>> in a responsible manner they would have outright ignored him, that's why
>>> this mailing list exists, because companies will ignore security issues
>>> until it bites them in the ass to save a buck.
>>>
>>> People are way too obsessed with having certifications that don't
>>> actually teach practical intrusion techniques. If a system is so fragile
>>> that teenagers can take it down with minimal effort then there is a
>>> serious problem with the IT security industry. Think about it how long
>>> has sql injection been around? There is absolutely no excuse for being
>>> vulnerable to it. None what so ever. These kids are showing people the
>>> truth about the state of security online and that is whats making people
>>> afraid of them. They aren't writing 0 days every week, they are using
>>> vulnerabilities that are publicly available. Using tools that are
>>> publicly available, tools that were meant to be used by the people
>>> protecting the systems. Clearly the people in charge of protecting these
>>> system aren't using these tools to scan their systems or else they would
>>> have found the weaknesses first.
>>>
>>> The fact that government organizations and large name companies and
>>> government contractors fall prey to these types of attacks just goes to
>>> show the level of hypocrisy inherent to the situation. Especially when
>>> their solution to the problem is to just pass more and more restrictive
>>> laws (as if that's going to stop them). These kids are showing people
>>> that the emperor has no clothes and that's whats making people angry,
>>> they are putting someones paycheck in danger. Why don't we solve the
>>> problem by actually addressing the real problem and fixing systems that
>>> need to be fixed? Why not hire these kids with the time and energy on
>>> their hands to probe for these weaknesses on a large scale? The ones
>>> currently in the job slots to do this clearly aren't doing it. I bet if
>>> they started replacing these people with these kids it would shake the
>>> lethargy out of the rest of them and you would see a general increase in
>>> competence and security. Knowing that if you get your network owned by a
>>> teenager will not only get you fired, but replaced with said teenager is
>>> one hell of an incentive to make sure you get it right.
>>>
>>>
>>> Yes they would have to be taught additional skills to round out what
>>> they know, but every job requires some level of training and there are
>>> quite a few workplaces that will help their employees continue their
>>> education because it benefits the company to do so. This would be no
>>> different except that the employees would be younger, and younger people
>>> do tend to learn faster so it would likely take less time to teach these
>>> kids the needed skills to round out what they already know than it would
>>> to teach someone older the same thing. It is the same principal behind
>>> teaching young children multiple languages, they learn them better than
>>> adults.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> Because the ones in charge right now can't even seem to fire up sqlmap
>> now and then to see if they are vuln. And if you really believe that they
>> just do it for the lulz line...
>>
>
> Well that's what you get when you let profit margins dictate security
> policy. You guys act pretty tough when you argue with each other online but
> you can't stand up to some corporate idiots? Sounds like this industry
> could benefit from these kids even more since they are driving home the
> points you all are supposed to be warning them about.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/