How many of those engaged in these attacks _could_ actually fix the vulns they exploit? What is a good "rough estimate" in your opinion? On Jan 11, 2012 12:47 AM, "Laurelai" <[email protected]> wrote:
> On 1/10/12 11:32 PM, James Smith wrote: > > Well I do agree with what you are stating. As I have seen incidents > > like this happen to many times. > > This mailing list is a big part of the IT Security community. > > > > > > > > -----Original Message----- From: Laurelai > > Sent: Wednesday, January 11, 2012 1:18 AM > > To: [email protected] > > Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response > > > > On 1/10/12 10:18 PM, Byron Sonne wrote: > >>> Don't piss off a talented adolescent with computer skills. > >> Amen! I love me some stylin' pwnage :) > >> > >> Whether they were skiddies or actual hackers, it's still amusing (and > >> frightening to some) that companies who really should know better, in > >> fact, don't. > >> > > And again, if companies hired these people, most of whom come from > > disadvantaged backgrounds and are self taught they wouldn't have as much > > a reason to be angry anymore. Most of them feel like they don't have any > > real opportunities for a career and they are often right. Microsoft > > hired some kid who hacked their network, it is a safe bet he isn't going > > to be causing any trouble anymore. Talking about the trust issue, who > > would you trust more the person who has all the certs and experience > > that told you your network was safe or the 14 year old who proved him > > wrong? We all know if that kid had approached microsoft with his exploit > > in a responsible manner they would have outright ignored him, that's why > > this mailing list exists, because companies will ignore security issues > > until it bites them in the ass to save a buck. > > > > People are way too obsessed with having certifications that don't > > actually teach practical intrusion techniques. If a system is so fragile > > that teenagers can take it down with minimal effort then there is a > > serious problem with the IT security industry. Think about it how long > > has sql injection been around? There is absolutely no excuse for being > > vulnerable to it. None what so ever. These kids are showing people the > > truth about the state of security online and that is whats making people > > afraid of them. They aren't writing 0 days every week, they are using > > vulnerabilities that are publicly available. Using tools that are > > publicly available, tools that were meant to be used by the people > > protecting the systems. Clearly the people in charge of protecting these > > system aren't using these tools to scan their systems or else they would > > have found the weaknesses first. > > > > The fact that government organizations and large name companies and > > government contractors fall prey to these types of attacks just goes to > > show the level of hypocrisy inherent to the situation. Especially when > > their solution to the problem is to just pass more and more restrictive > > laws (as if that's going to stop them). These kids are showing people > > that the emperor has no clothes and that's whats making people angry, > > they are putting someones paycheck in danger. Why don't we solve the > > problem by actually addressing the real problem and fixing systems that > > need to be fixed? Why not hire these kids with the time and energy on > > their hands to probe for these weaknesses on a large scale? The ones > > currently in the job slots to do this clearly aren't doing it. I bet if > > they started replacing these people with these kids it would shake the > > lethargy out of the rest of them and you would see a general increase in > > competence and security. Knowing that if you get your network owned by a > > teenager will not only get you fired, but replaced with said teenager is > > one hell of an incentive to make sure you get it right. > > > > > > Yes they would have to be taught additional skills to round out what > > they know, but every job requires some level of training and there are > > quite a few workplaces that will help their employees continue their > > education because it benefits the company to do so. This would be no > > different except that the employees would be younger, and younger people > > do tend to learn faster so it would likely take less time to teach these > > kids the needed skills to round out what they already know than it would > > to teach someone older the same thing. It is the same principal behind > > teaching young children multiple languages, they learn them better than > > adults. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > Yes I am aware they are, the ones who cry out that they are just script > kiddies and such are the ones who are most likely to be vulnerable in my > experience. Point is they still got owned, doesn't matter if the method > was easy. In fact because it was easy should be an even greater concern > to everyone here. The fact that Stratfor got owned like they did shows > they were beyond negligent, HBGary was the same as was Sony. They > shouldn't be trying to prosecute these kids they should go after these > companies for grossly mishandling peoples personal information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
