[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



"Sounds     like this industry could benefit from these kids even more
since     they are driving home the points you all are supposed to be
warning     them about."

That's because these kids don't have mouths to feed and a paycheck to
worry about. Ethics and ethos are all very nice when you have nothing
to lose, all to gain and no one depending on you...

On Thursday, January 12, 2012 at 4:43 AM, Laurelai  wrote:            
      On 1/12/12 3:34 AM, doc mombasa wrote:            i dont know if
you ever worked for a big corporate entity?       like kovacs wrote
its not about whether you can do it or not         as an employee its
more about if your manager allows you the         time to do it      
pentesting doesnt change anything on the profits excel sheet          
   we can agree it looks bad when shit happens but they usually       
 dont think that far ahead       i tried once reporting a very simple
sql injection flaw to my         manager and including a proposed fix
which would take all of 5         minutes to implement       18 months
went by before that flaw was fixed because there         was no
profits in allocating resources to fix it       and that webapp was
the #1 money generator for that company
                       Den 12. jan. 2012 10.29 skrev Laurelai :
                                                 On 1/12/12 3:27 AM,
doc mombasa wrote:                                                    
    just one question                     why should they hire the
"skiddies" if most of                       them only know how to fire
up sqlmap or whatever                       current app is hot right
now?                     doesnt really seem like enough reason to hire
                      anyone                     besides im not buying
the whole "they do it                       because they are angry at
society" plop                     ive been there.. they do it for the
lulz
                                                              Den 11.
jan. 2012 06.18 skrev                     Laurelai :
                                            On 1/10/12 10:18 PM, Byron
Sonne wrote:
                         >> Don't piss off a talented adolescent      
                  with computer skills.
                         > Amen! I love me some stylin' pwnage :)
                         >
                         > Whether they were skiddies or actual       
                 hackers, it's still amusing (and
                         > frightening to some) that companies who    
                    really should know better, in
                         > fact, don't.
                         >
                                              And again, if companies
hired these people, most                       of whom come from
                       disadvantaged backgrounds and are self taught
they                       wouldn't have as much
                       a reason to be angry anymore. Most of them feel
                      like they don't have any
                       real opportunities for a career and they are
often                       right. Microsoft
                       hired some kid who hacked their network, it is
a                       safe bet he isn't going
                       to be causing any trouble anymore. Talking
about                       the trust issue, who
                       would you trust more the person who has all the
                      certs and experience
                       that told you your network was safe or the 14
year                       old who proved him
                       wrong? We all know if that kid had approached  
                    microsoft with his exploit
                       in a responsible manner they would have
outright                       ignored him, that's why
                       this mailing list exists, because companies
will                       ignore security issues
                       until it bites them in the ass to save a buck.
                       People are way too obsessed with having        
              certifications that don't
                       actually teach practical intrusion techniques.
If                       a system is so fragile
                       that teenagers can take it down with minimal   
                   effort then there is a
                       serious problem with the IT security industry. 
                     Think about it how long
                       has sql injection been around? There is
absolutely                       no excuse for being
                       vulnerable to it. None what so ever. These kids
                      are showing people the
                       truth about the state of security online and
that                       is whats making people
                       afraid of them. They aren't writing 0 days
every                       week, they are using
                       vulnerabilities that are publicly available.
Using                       tools that are
                       publicly available, tools that were meant to be
                      used by the people
                       protecting the systems. Clearly the people in  
                    charge of protecting these
                       system aren't using these tools to scan their  
                    systems or else they would
                       have found the weaknesses first.
                       The fact that government organizations and
large                       name companies and
                       government contractors fall prey to these types
of                       attacks just goes to
                       show the level of hypocrisy inherent to the    
                  situation. Especially when
                       their solution to the problem is to just pass
more                       and more restrictive
                       laws (as if that's going to stop them). These
kids                       are showing people
                       that the emperor has no clothes and that's
whats                       making people angry,
                       they are putting someones paycheck in danger.
Why                       don't we solve the
                       problem by actually addressing the real problem
                      and fixing systems that
                       need to be fixed? Why not hire these kids with
the                       time and energy on
                       their hands to probe for these weaknesses on a 
                     large scale? The ones
                       currently in the job slots to do this clearly  
                    aren't doing it.  I bet if
                       they started replacing these people with these 
                     kids it would shake the
                       lethargy out of the rest of them and you would
see                       a general increase in
                       competence and security. Knowing that if you
get                       your network owned by a
                       teenager will not only get you fired, but
replaced                       with said teenager is
                       one hell of an incentive to make sure you get
it                       right.
                       Yes they would have to be taught additional
skills                       to round out what
                       they know, but every job requires some level of
                      training and there are
                       quite a few workplaces that will help their    
                  employees continue their
                       education because it benefits the company to do
                      so. This would be no
                       different except that the employees would be   
                   younger, and younger people
                       do tend to learn faster so it would likely take
                      less time to teach these
                       kids the needed skills to round out what they  
                    already know than it would
                       to teach someone older the same thing. It is
the                       same principal behind
                       teaching young children multiple languages,
they                       learn them better than
                       adults.
 _______________________________________________
                           Full-Disclosure - We believe in it.
                           Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
                           Hosted and sponsored by Secunia -
http://secunia.com/
                                                          Because the
ones in charge right now can't even seem to fire             up sqlmap
now and then to see if they are vuln. And if you             really
believe that they just do it for the lulz line...
          Well that's what you get when you let profit margins dictate
    security policy. You guys act pretty tough when you argue with
each     other online but you can't stand up to some corporate idiots?
Sounds     like this industry could benefit from these kids even more
since     they are driving home the points you all are supposed to be
warning     them about.
    
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/