[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



like i said
standing up for good policy does not mean it will be enforced


Den 12. jan. 2012 10.55 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

>  On 1/12/12 3:54 AM, doc mombasa wrote:
>
> and you are obviously blindly stuck on a point and has no idea how it
> actually works out there in "the real world"
>
> in small companies you have freedom and ability to execute
> in big companies not so much..
>
>  Den 12. jan. 2012 10.52 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>
>>   On 1/12/12 3:47 AM, doc mombasa wrote:
>>
>> ok obviously you never worked for a big corporate entity :)
>> sure standing up to them is fine
>> after shouting about the bug for 4 months i thought bah why bother its
>> their asses not mine
>> just going in and fixing a bug without the mandate is usually not a good
>> idea (if you want to keep your job so you can pay your bills that is..)
>>
>>  Den 12. jan. 2012 10.41 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>>
>>>   On 1/12/12 3:34 AM, doc mombasa wrote:
>>>
>>> i dont know if you ever worked for a big corporate entity?
>>> like kovacs wrote its not about whether you can do it or not as an
>>> employee its more about if your manager allows you the time to do it
>>> pentesting doesnt change anything on the profits excel sheet
>>> we can agree it looks bad when shit happens but they usually dont think
>>> that far ahead
>>> i tried once reporting a very simple sql injection flaw to my manager
>>> and including a proposed fix which would take all of 5 minutes to implement
>>> 18 months went by before that flaw was fixed because there was no
>>> profits in allocating resources to fix it
>>> and that webapp was the #1 money generator for that company
>>>
>>>  Den 12. jan. 2012 10.29 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>>>
>>>>   On 1/12/12 3:27 AM, doc mombasa wrote:
>>>>
>>>>  just one question
>>>> why should they hire the "skiddies" if most of them only know how to
>>>> fire up sqlmap or whatever current app is hot right now?
>>>> doesnt really seem like enough reason to hire anyone
>>>> besides im not buying the whole "they do it because they are angry at
>>>> society" plop
>>>> ive been there.. they do it for the lulz
>>>>
>>>>
>>>>  Den 11. jan. 2012 06.18 skrev Laurelai <laurelai@xxxxxxxxxxxx>:
>>>>
>>>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>>>> >> Don't piss off a talented adolescent with computer skills.
>>>>> > Amen! I love me some stylin' pwnage :)
>>>>> >
>>>>> > Whether they were skiddies or actual hackers, it's still amusing (and
>>>>> > frightening to some) that companies who really should know better, in
>>>>> > fact, don't.
>>>>> >
>>>>>  And again, if companies hired these people, most of whom come from
>>>>> disadvantaged backgrounds and are self taught they wouldn't have as
>>>>> much
>>>>> a reason to be angry anymore. Most of them feel like they don't have
>>>>> any
>>>>> real opportunities for a career and they are often right. Microsoft
>>>>> hired some kid who hacked their network, it is a safe bet he isn't
>>>>> going
>>>>> to be causing any trouble anymore. Talking about the trust issue, who
>>>>> would you trust more the person who has all the certs and experience
>>>>> that told you your network was safe or the 14 year old who proved him
>>>>> wrong? We all know if that kid had approached microsoft with his
>>>>> exploit
>>>>> in a responsible manner they would have outright ignored him, that's
>>>>> why
>>>>> this mailing list exists, because companies will ignore security issues
>>>>> until it bites them in the ass to save a buck.
>>>>>
>>>>> People are way too obsessed with having certifications that don't
>>>>> actually teach practical intrusion techniques. If a system is so
>>>>> fragile
>>>>> that teenagers can take it down with minimal effort then there is a
>>>>> serious problem with the IT security industry. Think about it how long
>>>>> has sql injection been around? There is absolutely no excuse for being
>>>>> vulnerable to it. None what so ever. These kids are showing people the
>>>>> truth about the state of security online and that is whats making
>>>>> people
>>>>> afraid of them. They aren't writing 0 days every week, they are using
>>>>> vulnerabilities that are publicly available. Using tools that are
>>>>> publicly available, tools that were meant to be used by the people
>>>>> protecting the systems. Clearly the people in charge of protecting
>>>>> these
>>>>> system aren't using these tools to scan their systems or else they
>>>>> would
>>>>> have found the weaknesses first.
>>>>>
>>>>> The fact that government organizations and large name companies and
>>>>> government contractors fall prey to these types of attacks just goes to
>>>>> show the level of hypocrisy inherent to the situation. Especially when
>>>>> their solution to the problem is to just pass more and more restrictive
>>>>> laws (as if that's going to stop them). These kids are showing people
>>>>> that the emperor has no clothes and that's whats making people angry,
>>>>> they are putting someones paycheck in danger. Why don't we solve the
>>>>> problem by actually addressing the real problem and fixing systems that
>>>>> need to be fixed? Why not hire these kids with the time and energy on
>>>>> their hands to probe for these weaknesses on a large scale? The ones
>>>>> currently in the job slots to do this clearly aren't doing it.  I bet
>>>>> if
>>>>> they started replacing these people with these kids it would shake the
>>>>> lethargy out of the rest of them and you would see a general increase
>>>>> in
>>>>> competence and security. Knowing that if you get your network owned by
>>>>> a
>>>>> teenager will not only get you fired, but replaced with said teenager
>>>>> is
>>>>> one hell of an incentive to make sure you get it right.
>>>>>
>>>>>
>>>>> Yes they would have to be taught additional skills to round out what
>>>>> they know, but every job requires some level of training and there are
>>>>> quite a few workplaces that will help their employees continue their
>>>>> education because it benefits the company to do so. This would be no
>>>>> different except that the employees would be younger, and younger
>>>>> people
>>>>> do tend to learn faster so it would likely take less time to teach
>>>>> these
>>>>> kids the needed skills to round out what they already know than it
>>>>> would
>>>>> to teach someone older the same thing. It is the same principal behind
>>>>> teaching young children multiple languages, they learn them better than
>>>>> adults.
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>   Because the ones in charge right now can't even seem to fire up
>>>> sqlmap now and then to see if they are vuln. And if you really believe that
>>>> they just do it for the lulz line...
>>>>
>>>
>>>   Well that's what you get when you let profit margins dictate security
>>> policy. You guys act pretty tough when you argue with each other online but
>>> you can't stand up to some corporate idiots? Sounds like this industry
>>> could benefit from these kids even more since they are driving home the
>>> points you all are supposed to be warning them about.
>>>
>>
>>   Ok, obviously you don't actually care about information security.
>> Enjoy kids owning your networks.
>>
>
>  Yes and its the fault of people who feel too intimidated to stand up for
> good policy. Thats *why* big companies are this way, your part of the
> problem.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/