Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 03:52:13 -0600

On 1/12/12 3:47 AM, doc mombasa wrote:
ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its their asses not mine just going in and fixing a bug without the mandate is usually not a good idea (if you want to keep your job so you can pay your bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

    On 1/12/12 3:34 AM, doc mombasa wrote:
    i dont know if you ever worked for a big corporate entity?
    like kovacs wrote its not about whether you can do it or not as
    an employee its more about if your manager allows you the time to
    do it
    pentesting doesnt change anything on the profits excel sheet
    we can agree it looks bad when shit happens but they usually dont
    think that far ahead
    i tried once reporting a very simple sql injection flaw to my
    manager and including a proposed fix which would take all of 5
    minutes to implement
    18 months went by before that flaw was fixed because there was no
    profits in allocating resources to fix it
    and that webapp was the #1 money generator for that company

    Den 12. jan. 2012 10.29 skrev Laurelai <laurelai () oneechan org
    <mailto:laurelai () oneechan org>>:

        On 1/12/12 3:27 AM, doc mombasa wrote:
        just one question
        why should they hire the "skiddies" if most of them only
        know how to fire up sqlmap or whatever current app is hot
        right now?
        doesnt really seem like enough reason to hire anyone
        besides im not buying the whole "they do it because they are
        angry at society" plop
        ive been there.. they do it for the lulz

        Den 11. jan. 2012 06.18 skrev Laurelai
        <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

            On 1/10/12 10:18 PM, Byron Sonne wrote:
            >> Don't piss off a talented adolescent with computer
            skills.
            > Amen! I love me some stylin' pwnage :)
            >
            > Whether they were skiddies or actual hackers, it's
            still amusing (and
            > frightening to some) that companies who really should
            know better, in
            > fact, don't.
            >
            And again, if companies hired these people, most of whom
            come from
            disadvantaged backgrounds and are self taught they
            wouldn't have as much
            a reason to be angry anymore. Most of them feel like
            they don't have any
            real opportunities for a career and they are often
            right. Microsoft
            hired some kid who hacked their network, it is a safe
            bet he isn't going
            to be causing any trouble anymore. Talking about the
            trust issue, who
            would you trust more the person who has all the certs
            and experience
            that told you your network was safe or the 14 year old
            who proved him
            wrong? We all know if that kid had approached microsoft
            with his exploit
            in a responsible manner they would have outright ignored
            him, that's why
            this mailing list exists, because companies will ignore
            security issues
            until it bites them in the ass to save a buck.

            People are way too obsessed with having certifications
            that don't
            actually teach practical intrusion techniques. If a
            system is so fragile
            that teenagers can take it down with minimal effort then
            there is a
            serious problem with the IT security industry. Think
            about it how long
            has sql injection been around? There is absolutely no
            excuse for being
            vulnerable to it. None what so ever. These kids are
            showing people the
            truth about the state of security online and that is
            whats making people
            afraid of them. They aren't writing 0 days every week,
            they are using
            vulnerabilities that are publicly available. Using tools
            that are
            publicly available, tools that were meant to be used by
            the people
            protecting the systems. Clearly the people in charge of
            protecting these
            system aren't using these tools to scan their systems or
            else they would
            have found the weaknesses first.

            The fact that government organizations and large name
            companies and
            government contractors fall prey to these types of
            attacks just goes to
            show the level of hypocrisy inherent to the situation.
            Especially when
            their solution to the problem is to just pass more and
            more restrictive
            laws (as if that's going to stop them). These kids are
            showing people
            that the emperor has no clothes and that's whats making
            people angry,
            they are putting someones paycheck in danger. Why don't
            we solve the
            problem by actually addressing the real problem and
            fixing systems that
            need to be fixed? Why not hire these kids with the time
            and energy on
            their hands to probe for these weaknesses on a large
            scale? The ones
            currently in the job slots to do this clearly aren't
            doing it.  I bet if
            they started replacing these people with these kids it
            would shake the
            lethargy out of the rest of them and you would see a
            general increase in
            competence and security. Knowing that if you get your
            network owned by a
            teenager will not only get you fired, but replaced with
            said teenager is
            one hell of an incentive to make sure you get it right.


            Yes they would have to be taught additional skills to
            round out what
            they know, but every job requires some level of training
            and there are
            quite a few workplaces that will help their employees
            continue their
            education because it benefits the company to do so. This
            would be no
            different except that the employees would be younger,
            and younger people
            do tend to learn faster so it would likely take less
            time to teach these
            kids the needed skills to round out what they already
            know than it would
            to teach someone older the same thing. It is the same
            principal behind
            teaching young children multiple languages, they learn
            them better than
            adults.

            _______________________________________________
            Full-Disclosure - We believe in it.
            Charter:
            http://lists.grok.org.uk/full-disclosure-charter.html
            Hosted and sponsored by Secunia - http://secunia.com/


        Because the ones in charge right now can't even seem to fire
        up sqlmap now and then to see if they are vuln. And if you
        really believe that they just do it for the lulz line...


    Well that's what you get when you let profit margins dictate
    security policy. You guys act pretty tough when you argue with
    each other online but you can't stand up to some corporate idiots?
    Sounds like this industry could benefit from these kids even more
    since they are driving home the points you all are supposed to be
    warning them about.


Ok, obviously you don't actually care about information security. Enjoy kids owning your networks.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]