Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: [Full-Disclosure] Full-disclosure Posts
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 18 Oct 2004 07:59:18 -0500

Well, I didn't take offense...alot of compaines are very lazy with
security...just wanted to throw in my 2 cents. 

Just look at all the pen-testing compaines..that throw you a nessus
report with a logo on top of it. They have never tested the reported
hole with another method or even tried any other hacking method
(social). Don't worry I see your point too clear. 

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
backyard () yahoo-inc
Sent: Sunday, October 17, 2004 2:54 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-Disclosure] Full-disclosure Posts

On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles 
<toddtowles () brookshires com> wrote:
I agree with your idea, but I am one of those uni graduate/20 
something professionals. I am very passion about my work and the 
security of the company I work for. I work in a rural state and the 
money isn't as high as some other places. I took a pay cut 
to work in 
the IT field when I finished college.

Maybe you weren't talking about people like myself in your 
(since most people that are part of FD are here to be on 
the edge of 
security and around people that understand them) but it seemed like 
you were talking in pretty general terms....with that in 
mind I have 
to disagree with you that all the 20 something 
professionals are not 
good security professionals. A lot of the older folks are 
sitting in 
the corner talking about their 1980 modems, while some 15 year old 
from south amercian uses a three year old exploit on their 
misconfigured Apache webserver and defaces it.

I agree that you have to love computers...you have to eat and sleep 
computers/security to be good in the field and a lot of 
people in the 
IT field aren't like that. Kinda sad, but I will have their job one 
day..so..I just smile.

My motivation is yahoo.. these guys need to wake up more. 
Everything about them says they are out of touch with the 
threats of today. If you report X, they patch X, even if they 
know Y and Z are vulnerable, the apparent attitude is to 
leave Y and Z until they get reported or become an active 
problem, because they want to move onto the next reported 
vulnerability. From the idea I get, its all about what looks 
good on paper and productivity. I mean, I bet yahoo hand out 
most productive security employee of the month awards and 
stuff. Its all screwed up and wrong.

My stance is.. yahoo sack all the ones who are in it for the 
money, keep the employees who think like a hacker, then 
recruit some real life hackers from the underground. That 
combination is a winning security team, not the current team 
who in my opinion are out of touch and out dated for the 
threats of the 21st century.

As for misconfigured web servers with 3 year old exploit. 
Yahoo! don't even need exploits and misconfigured web 
servers. They do fine by cutting corners and taking short 
cuts in security. Half the network is vulnerable to all 
manner of stuff. In my opinion, the only threat to Yahoo are 
Yahoo themselves, not hackers.

Sorry to go on about yahoo, but its something i'm passionate about.

Feel free to hit the block sender button, I fully understand. 


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]