From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
backyard () yahoo-inc
Sent: Sunday, October 17, 2004 2:54 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-Disclosure] Full-disclosure Posts
On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles
<toddtowles () brookshires com> wrote:
I agree with your idea, but I am one of those uni graduate/20
something professionals. I am very passion about my work and the
security of the company I work for. I work in a rural state and the
money isn't as high as some other places. I took a pay cut
to work in
the IT field when I finished college.
Maybe you weren't talking about people like myself in your
(since most people that are part of FD are here to be on
the edge of
security and around people that understand them) but it seemed like
you were talking in pretty general terms....with that in
mind I have
to disagree with you that all the 20 something
professionals are not
good security professionals. A lot of the older folks are
the corner talking about their 1980 modems, while some 15 year old
from south amercian uses a three year old exploit on their
misconfigured Apache webserver and defaces it.
I agree that you have to love computers...you have to eat and sleep
computers/security to be good in the field and a lot of
people in the
IT field aren't like that. Kinda sad, but I will have their job one
day..so..I just smile.
My motivation is yahoo.. these guys need to wake up more.
Everything about them says they are out of touch with the
threats of today. If you report X, they patch X, even if they
know Y and Z are vulnerable, the apparent attitude is to
leave Y and Z until they get reported or become an active
problem, because they want to move onto the next reported
vulnerability. From the idea I get, its all about what looks
good on paper and productivity. I mean, I bet yahoo hand out
most productive security employee of the month awards and
stuff. Its all screwed up and wrong.
My stance is.. yahoo sack all the ones who are in it for the
money, keep the employees who think like a hacker, then
recruit some real life hackers from the underground. That
combination is a winning security team, not the current team
who in my opinion are out of touch and out dated for the
threats of the 21st century.
As for misconfigured web servers with 3 year old exploit.
Yahoo! don't even need exploits and misconfigured web
servers. They do fine by cutting corners and taking short
cuts in security. Half the network is vulnerable to all
manner of stuff. In my opinion, the only threat to Yahoo are
Yahoo themselves, not hackers.
Sorry to go on about yahoo, but its something i'm passionate about.
Feel free to hit the block sender button, I fully understand.
Full-Disclosure - We believe in it.