Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 14:03:41 -0600

On 1/12/12 2:00 PM, Elazar Broad wrote:
"Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about."

That's because these kids don't have mouths to feed and a paycheck to worry about. Ethics and ethos are all very nice when you have nothing to lose, all to gain and no one depending on you...

On Thursday, January 12, 2012 at 4:43 AM, Laurelai <laurelai () oneechan org> wrote:

    On 1/12/12 3:34 AM, doc mombasa wrote:

        i dont know if you ever worked for a big corporate entity?
        like kovacs wrote its not about whether you can do it or not
        as an employee its more about if your manager allows you the
        time to do it
        pentesting doesnt change anything on the profits excel sheet
        we can agree it looks bad when shit happens but they usually
        dont think that far ahead
        i tried once reporting a very simple sql injection flaw to my
        manager and including a proposed fix which would take all of 5
        minutes to implement
        18 months went by before that flaw was fixed because there was
        no profits in allocating resources to fix it
        and that webapp was the #1 money generator for that company

        Den 12. jan. 2012 10.29 skrev Laurelai <laurelai () oneechan org>:

            On 1/12/12 3:27 AM, doc mombasa wrote:

                just one question
                why should they hire the "skiddies" if most of them
                only know how to fire up sqlmap or whatever current
                app is hot right now?
                doesnt really seem like enough reason to hire anyone
                besides im not buying the whole "they do it because
                they are angry at society" plop
                ive been there.. they do it for the lulz

                Den 11. jan. 2012 06.18 skrev Laurelai
                <laurelai () oneechan org>:

                    On 1/10/12 10:18 PM, Byron Sonne wrote:
                    >> Don't piss off a talented adolescent with
                    computer skills.
                    > Amen! I love me some stylin' pwnage :)
                    >
                    > Whether they were skiddies or actual hackers,
                    it's still amusing (and
                    > frightening to some) that companies who really
                    should know better, in
                    > fact, don't.
                    >
                    And again, if companies hired these people, most
                    of whom come from
                    disadvantaged backgrounds and are self taught they
                    wouldn't have as much
                    a reason to be angry anymore. Most of them feel
                    like they don't have any
                    real opportunities for a career and they are often
                    right. Microsoft
                    hired some kid who hacked their network, it is a
                    safe bet he isn't going
                    to be causing any trouble anymore. Talking about
                    the trust issue, who
                    would you trust more the person who has all the
                    certs and experience
                    that told you your network was safe or the 14 year
                    old who proved him
                    wrong? We all know if that kid had approached
                    microsoft with his exploit
                    in a responsible manner they would have outright
                    ignored him, that's why
                    this mailing list exists, because companies will
                    ignore security issues
                    until it bites them in the ass to save a buck.

                    People are way too obsessed with having
                    certifications that don't
                    actually teach practical intrusion techniques. If
                    a system is so fragile
                    that teenagers can take it down with minimal
                    effort then there is a
                    serious problem with the IT security industry.
                    Think about it how long
                    has sql injection been around? There is absolutely
                    no excuse for being
                    vulnerable to it. None what so ever. These kids
                    are showing people the
                    truth about the state of security online and that
                    is whats making people
                    afraid of them. They aren't writing 0 days every
                    week, they are using
                    vulnerabilities that are publicly available. Using
                    tools that are
                    publicly available, tools that were meant to be
                    used by the people
                    protecting the systems. Clearly the people in
                    charge of protecting these
                    system aren't using these tools to scan their
                    systems or else they would
                    have found the weaknesses first.

                    The fact that government organizations and large
                    name companies and
                    government contractors fall prey to these types of
                    attacks just goes to
                    show the level of hypocrisy inherent to the
                    situation. Especially when
                    their solution to the problem is to just pass more
                    and more restrictive
                    laws (as if that's going to stop them). These kids
                    are showing people
                    that the emperor has no clothes and that's whats
                    making people angry,
                    they are putting someones paycheck in danger. Why
                    don't we solve the
                    problem by actually addressing the real problem
                    and fixing systems that
                    need to be fixed? Why not hire these kids with the
                    time and energy on
                    their hands to probe for these weaknesses on a
                    large scale? The ones
                    currently in the job slots to do this clearly
                    aren't doing it.  I bet if
                    they started replacing these people with these
                    kids it would shake the
                    lethargy out of the rest of them and you would see
                    a general increase in
                    competence and security. Knowing that if you get
                    your network owned by a
                    teenager will not only get you fired, but replaced
                    with said teenager is
                    one hell of an incentive to make sure you get it
                    right.


                    Yes they would have to be taught additional skills
                    to round out what
                    they know, but every job requires some level of
                    training and there are
                    quite a few workplaces that will help their
                    employees continue their
                    education because it benefits the company to do
                    so. This would be no
                    different except that the employees would be
                    younger, and younger people
                    do tend to learn faster so it would likely take
                    less time to teach these
                    kids the needed skills to round out what they
                    already know than it would
                    to teach someone older the same thing. It is the
                    same principal behind
                    teaching young children multiple languages, they
                    learn them better than
                    adults.

                    _______________________________________________
                    Full-Disclosure - We believe in it.
                    Charter:
                    http://lists.grok.org.uk/full-disclosure-charter.html
                    Hosted and sponsored by Secunia - http://secunia.com/


            Because the ones in charge right now can't even seem to
            fire up sqlmap now and then to see if they are vuln. And
            if you really believe that they just do it for the lulz
            line...


    Well that's what you get when you let profit margins dictate
    security policy. You guys act pretty tough when you argue with
    each other online but you can't stand up to some corporate idiots?
    Sounds like this industry could benefit from these kids even more
    since they are driving home the points you all are supposed to be
    warning them about.


Live your life like every day is your last :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault