Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Wed, 11 Jan 2012 01:17:55 -0600

On 1/11/12 1:15 AM, Kyle Creyts wrote:

How many of those engaged in these attacks _could_ actually fix the vulns they exploit? What is a good "rough estimate" in your opinion?

On Jan 11, 2012 12:47 AM, "Laurelai" <laurelai () oneechan org <mailto:laurelai () oneechan org>> wrote:

    On 1/10/12 11:32 PM, James Smith wrote:
    > Well I do agree with what you are stating. As I have seen incidents
    > like this happen to many times.
    > This mailing list is a big part of the IT Security community.
    > -----Original Message----- From: Laurelai
    > Sent: Wednesday, January 11, 2012 1:18 AM
    > To: full-disclosure () lists grok org uk
    <mailto:full-disclosure () lists grok org uk>
    > Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident
    > On 1/10/12 10:18 PM, Byron Sonne wrote:
    >>> Don't piss off a talented adolescent with computer skills.
    >> Amen! I love me some stylin' pwnage :)
    >> Whether they were skiddies or actual hackers, it's still
    amusing (and
    >> frightening to some) that companies who really should know
    better, in
    >> fact, don't.
    > And again, if companies hired these people, most of whom come from
    > disadvantaged backgrounds and are self taught they wouldn't have
    as much
    > a reason to be angry anymore. Most of them feel like they don't
    have any
    > real opportunities for a career and they are often right. Microsoft
    > hired some kid who hacked their network, it is a safe bet he
    isn't going
    > to be causing any trouble anymore. Talking about the trust
    issue, who
    > would you trust more the person who has all the certs and experience
    > that told you your network was safe or the 14 year old who
    proved him
    > wrong? We all know if that kid had approached microsoft with his
    > in a responsible manner they would have outright ignored him,
    that's why
    > this mailing list exists, because companies will ignore security
    > until it bites them in the ass to save a buck.
    > People are way too obsessed with having certifications that don't
    > actually teach practical intrusion techniques. If a system is so
    > that teenagers can take it down with minimal effort then there is a
    > serious problem with the IT security industry. Think about it
    how long
    > has sql injection been around? There is absolutely no excuse for
    > vulnerable to it. None what so ever. These kids are showing
    people the
    > truth about the state of security online and that is whats
    making people
    > afraid of them. They aren't writing 0 days every week, they are
    > vulnerabilities that are publicly available. Using tools that are
    > publicly available, tools that were meant to be used by the people
    > protecting the systems. Clearly the people in charge of
    protecting these
    > system aren't using these tools to scan their systems or else
    they would
    > have found the weaknesses first.
    > The fact that government organizations and large name companies and
    > government contractors fall prey to these types of attacks just
    goes to
    > show the level of hypocrisy inherent to the situation.
    Especially when
    > their solution to the problem is to just pass more and more
    > laws (as if that's going to stop them). These kids are showing
    > that the emperor has no clothes and that's whats making people
    > they are putting someones paycheck in danger. Why don't we solve the
    > problem by actually addressing the real problem and fixing
    systems that
    > need to be fixed? Why not hire these kids with the time and
    energy on
    > their hands to probe for these weaknesses on a large scale? The ones
    > currently in the job slots to do this clearly aren't doing it.
     I bet if
    > they started replacing these people with these kids it would
    shake the
    > lethargy out of the rest of them and you would see a general
    increase in
    > competence and security. Knowing that if you get your network
    owned by a
    > teenager will not only get you fired, but replaced with said
    teenager is
    > one hell of an incentive to make sure you get it right.
    > Yes they would have to be taught additional skills to round out what
    > they know, but every job requires some level of training and
    there are
    > quite a few workplaces that will help their employees continue their
    > education because it benefits the company to do so. This would be no
    > different except that the employees would be younger, and
    younger people
    > do tend to learn faster so it would likely take less time to
    teach these
    > kids the needed skills to round out what they already know than
    it would
    > to teach someone older the same thing. It is the same principal
    > teaching young children multiple languages, they learn them
    better than
    > adults.
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    Yes I am aware they are, the ones who cry out that they are just
    kiddies and such are the ones who are most likely to be vulnerable
    in my
    experience. Point is they still got owned, doesn't matter if the
    was easy. In fact because it was easy should be an even greater
    to everyone here. The fact that Stratfor got owned like they did shows
    they were beyond negligent, HBGary was the same as was Sony. They
    shouldn't be trying to prosecute these kids they should go after these
    companies for grossly mishandling peoples personal information.

    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

More than the number of so called experts that can prevent it in the first place :)
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]