Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: "J. von Balzac" <jhm.balzac () gmail com>
Date: Mon, 9 Jan 2012 20:00:11 +0100

Most of the kids are skript kiddies, and don't really understand the *defense*
end of the security business very well.  Sure, some may be better than skript
kiddies, and may be *incredible* at finding a memory overlay or an SQL
injection, but do they know how to *secure* against *everything*?

Does that kid know anything about "continuity of operations"? How to negotiate
with network providers to guarantee diverse cable paths?  How to set up proper
audit trails so they can figure out what happened after the fact? How to deal
with physical security issues (how do you know the guy at the door works for
Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
evidence" order?  How to secure systems against insider threats and
embezzlement (still a big problem, even if hackers get more news time)? How to
ensure proper backups get done (this can be very non-trivial if you have
multiple petabytes of storage, and need to do point-in-time recoveries)? How to
do all the other things involved in actually making a data processing facility

Warning: my message is about semantics.

Valdis you make me curious - how do you know that most are kids, and
script kiddies? The label 'script kiddies' has been used for over 20
years and well, kids do grow old... aren't the script kiddies really
"script men" these days? The label "script kiddie" tends to downplay
their existence. It has a tone of "strong security officers, men of
renown, men with beards" who look down on those petty script kiddies
from their high places of arcane knowledge possessed by a mere few.

Isn't it more likely that the people who massively pwned Stratfor are
indeed mature and serious? It's easy to establish that "the lulzboat
people" for lack of a better term, are more mature than the
technicians at Stratfor will ever be. Better to call them "security
kiddies", I can understand that.

Of course it's common to refer to script kiddies in mailing lists and
to tech savvy people. As I'm not a pro I wonder if you guys (the
professional pen testers) refer to these people as script kiddies when
you talk with your clients.

Maybe 'penners' would be a better word, because even the word 'hacker'
is too broad. I can't stand it when 'laymen' refer to 'hackers' on
every occasion.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]