Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 03:41:48 -0600

On 1/12/12 3:34 AM, doc mombasa wrote:
i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an employee its more about if your manager allows you the time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont think that far ahead i tried once reporting a very simple sql injection flaw to my manager and including a proposed fix which would take all of 5 minutes to implement 18 months went by before that flaw was fixed because there was no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

    On 1/12/12 3:27 AM, doc mombasa wrote:
    just one question
    why should they hire the "skiddies" if most of them only know how
    to fire up sqlmap or whatever current app is hot right now?
    doesnt really seem like enough reason to hire anyone
    besides im not buying the whole "they do it because they are
    angry at society" plop
    ive been there.. they do it for the lulz

    Den 11. jan. 2012 06.18 skrev Laurelai <laurelai () oneechan org
    <mailto:laurelai () oneechan org>>:

        On 1/10/12 10:18 PM, Byron Sonne wrote:
        >> Don't piss off a talented adolescent with computer skills.
        > Amen! I love me some stylin' pwnage :)
        > Whether they were skiddies or actual hackers, it's still
        amusing (and
        > frightening to some) that companies who really should know
        better, in
        > fact, don't.
        And again, if companies hired these people, most of whom come
        disadvantaged backgrounds and are self taught they wouldn't
        have as much
        a reason to be angry anymore. Most of them feel like they
        don't have any
        real opportunities for a career and they are often right.
        hired some kid who hacked their network, it is a safe bet he
        isn't going
        to be causing any trouble anymore. Talking about the trust
        issue, who
        would you trust more the person who has all the certs and
        that told you your network was safe or the 14 year old who
        proved him
        wrong? We all know if that kid had approached microsoft with
        his exploit
        in a responsible manner they would have outright ignored him,
        that's why
        this mailing list exists, because companies will ignore
        security issues
        until it bites them in the ass to save a buck.

        People are way too obsessed with having certifications that don't
        actually teach practical intrusion techniques. If a system is
        so fragile
        that teenagers can take it down with minimal effort then
        there is a
        serious problem with the IT security industry. Think about it
        how long
        has sql injection been around? There is absolutely no excuse
        for being
        vulnerable to it. None what so ever. These kids are showing
        people the
        truth about the state of security online and that is whats
        making people
        afraid of them. They aren't writing 0 days every week, they
        are using
        vulnerabilities that are publicly available. Using tools that are
        publicly available, tools that were meant to be used by the
        protecting the systems. Clearly the people in charge of
        protecting these
        system aren't using these tools to scan their systems or else
        they would
        have found the weaknesses first.

        The fact that government organizations and large name
        companies and
        government contractors fall prey to these types of attacks
        just goes to
        show the level of hypocrisy inherent to the situation.
        Especially when
        their solution to the problem is to just pass more and more
        laws (as if that's going to stop them). These kids are
        showing people
        that the emperor has no clothes and that's whats making
        people angry,
        they are putting someones paycheck in danger. Why don't we
        solve the
        problem by actually addressing the real problem and fixing
        systems that
        need to be fixed? Why not hire these kids with the time and
        energy on
        their hands to probe for these weaknesses on a large scale?
        The ones
        currently in the job slots to do this clearly aren't doing
        it.  I bet if
        they started replacing these people with these kids it would
        shake the
        lethargy out of the rest of them and you would see a general
        increase in
        competence and security. Knowing that if you get your network
        owned by a
        teenager will not only get you fired, but replaced with said
        teenager is
        one hell of an incentive to make sure you get it right.

        Yes they would have to be taught additional skills to round
        out what
        they know, but every job requires some level of training and
        there are
        quite a few workplaces that will help their employees
        continue their
        education because it benefits the company to do so. This
        would be no
        different except that the employees would be younger, and
        younger people
        do tend to learn faster so it would likely take less time to
        teach these
        kids the needed skills to round out what they already know
        than it would
        to teach someone older the same thing. It is the same
        principal behind
        teaching young children multiple languages, they learn them
        better than

        Full-Disclosure - We believe in it.
        Charter: http://lists.grok.org.uk/full-disclosure-charter.html
        Hosted and sponsored by Secunia - http://secunia.com/

    Because the ones in charge right now can't even seem to fire up
    sqlmap now and then to see if they are vuln. And if you really
    believe that they just do it for the lulz line...

Well that's what you get when you let profit margins dictate security policy. You guys act pretty tough when you argue with each other online but you can't stand up to some corporate idiots? Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]