Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 03:55:58 -0600

On 1/12/12 3:54 AM, doc mombasa wrote:
and you are obviously blindly stuck on a point and has no idea how it actually works out there in "the real world"
in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

    On 1/12/12 3:47 AM, doc mombasa wrote:
    ok obviously you never worked for a big corporate entity :)
    sure standing up to them is fine
    after shouting about the bug for 4 months i thought bah why
    bother its their asses not mine
    just going in and fixing a bug without the mandate is usually not
    a good idea (if you want to keep your job so you can pay your
    bills that is..)

    Den 12. jan. 2012 10.41 skrev Laurelai <laurelai () oneechan org
    <mailto:laurelai () oneechan org>>:

        On 1/12/12 3:34 AM, doc mombasa wrote:
        i dont know if you ever worked for a big corporate entity?
        like kovacs wrote its not about whether you can do it or not
        as an employee its more about if your manager allows you the
        time to do it
        pentesting doesnt change anything on the profits excel sheet
        we can agree it looks bad when shit happens but they usually
        dont think that far ahead
        i tried once reporting a very simple sql injection flaw to
        my manager and including a proposed fix which would take all
        of 5 minutes to implement
        18 months went by before that flaw was fixed because there
        was no profits in allocating resources to fix it
        and that webapp was the #1 money generator for that company

        Den 12. jan. 2012 10.29 skrev Laurelai
        <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

            On 1/12/12 3:27 AM, doc mombasa wrote:
            just one question
            why should they hire the "skiddies" if most of them
            only know how to fire up sqlmap or whatever current app
            is hot right now?
            doesnt really seem like enough reason to hire anyone
            besides im not buying the whole "they do it because
            they are angry at society" plop
            ive been there.. they do it for the lulz

            Den 11. jan. 2012 06.18 skrev Laurelai
            <laurelai () oneechan org <mailto:laurelai () oneechan org>>:

                On 1/10/12 10:18 PM, Byron Sonne wrote:
                >> Don't piss off a talented adolescent with
                computer skills.
                > Amen! I love me some stylin' pwnage :)
                > Whether they were skiddies or actual hackers,
                it's still amusing (and
                > frightening to some) that companies who really
                should know better, in
                > fact, don't.
                And again, if companies hired these people, most of
                whom come from
                disadvantaged backgrounds and are self taught they
                wouldn't have as much
                a reason to be angry anymore. Most of them feel
                like they don't have any
                real opportunities for a career and they are often
                right. Microsoft
                hired some kid who hacked their network, it is a
                safe bet he isn't going
                to be causing any trouble anymore. Talking about
                the trust issue, who
                would you trust more the person who has all the
                certs and experience
                that told you your network was safe or the 14 year
                old who proved him
                wrong? We all know if that kid had approached
                microsoft with his exploit
                in a responsible manner they would have outright
                ignored him, that's why
                this mailing list exists, because companies will
                ignore security issues
                until it bites them in the ass to save a buck.

                People are way too obsessed with having
                certifications that don't
                actually teach practical intrusion techniques. If a
                system is so fragile
                that teenagers can take it down with minimal effort
                then there is a
                serious problem with the IT security industry.
                Think about it how long
                has sql injection been around? There is absolutely
                no excuse for being
                vulnerable to it. None what so ever. These kids are
                showing people the
                truth about the state of security online and that
                is whats making people
                afraid of them. They aren't writing 0 days every
                week, they are using
                vulnerabilities that are publicly available. Using
                tools that are
                publicly available, tools that were meant to be
                used by the people
                protecting the systems. Clearly the people in
                charge of protecting these
                system aren't using these tools to scan their
                systems or else they would
                have found the weaknesses first.

                The fact that government organizations and large
                name companies and
                government contractors fall prey to these types of
                attacks just goes to
                show the level of hypocrisy inherent to the
                situation. Especially when
                their solution to the problem is to just pass more
                and more restrictive
                laws (as if that's going to stop them). These kids
                are showing people
                that the emperor has no clothes and that's whats
                making people angry,
                they are putting someones paycheck in danger. Why
                don't we solve the
                problem by actually addressing the real problem and
                fixing systems that
                need to be fixed? Why not hire these kids with the
                time and energy on
                their hands to probe for these weaknesses on a
                large scale? The ones
                currently in the job slots to do this clearly
                aren't doing it.  I bet if
                they started replacing these people with these kids
                it would shake the
                lethargy out of the rest of them and you would see
                a general increase in
                competence and security. Knowing that if you get
                your network owned by a
                teenager will not only get you fired, but replaced
                with said teenager is
                one hell of an incentive to make sure you get it right.

                Yes they would have to be taught additional skills
                to round out what
                they know, but every job requires some level of
                training and there are
                quite a few workplaces that will help their
                employees continue their
                education because it benefits the company to do so.
                This would be no
                different except that the employees would be
                younger, and younger people
                do tend to learn faster so it would likely take
                less time to teach these
                kids the needed skills to round out what they
                already know than it would
                to teach someone older the same thing. It is the
                same principal behind
                teaching young children multiple languages, they
                learn them better than

                Full-Disclosure - We believe in it.
                Hosted and sponsored by Secunia - http://secunia.com/

            Because the ones in charge right now can't even seem to
            fire up sqlmap now and then to see if they are vuln. And
            if you really believe that they just do it for the lulz

        Well that's what you get when you let profit margins dictate
        security policy. You guys act pretty tough when you argue
        with each other online but you can't stand up to some
        corporate idiots? Sounds like this industry could benefit
        from these kids even more since they are driving home the
        points you all are supposed to be warning them about.

    Ok, obviously you don't actually care about information security.
    Enjoy kids owning your networks.

Yes and its the fault of people who feel too intimidated to stand up for good policy. Thats *why* big companies are this way, your part of the problem.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]