ok obviously you never worked for a big corporate entity :) sure standing up to them is fine after shouting about the bug for 4 months i thought bah why bother its their asses not mine just going in and fixing a bug without the mandate is usually not a good idea (if you want to keep your job so you can pay your bills that is..)
Den 12. jan. 2012 10.41 skrev Laurelai <[email protected]>: > On 1/12/12 3:34 AM, doc mombasa wrote: > > i dont know if you ever worked for a big corporate entity? > like kovacs wrote its not about whether you can do it or not as an > employee its more about if your manager allows you the time to do it > pentesting doesnt change anything on the profits excel sheet > we can agree it looks bad when shit happens but they usually dont think > that far ahead > i tried once reporting a very simple sql injection flaw to my manager and > including a proposed fix which would take all of 5 minutes to implement > 18 months went by before that flaw was fixed because there was no profits > in allocating resources to fix it > and that webapp was the #1 money generator for that company > > Den 12. jan. 2012 10.29 skrev Laurelai <[email protected]>: > >> On 1/12/12 3:27 AM, doc mombasa wrote: >> >> just one question >> why should they hire the "skiddies" if most of them only know how to fire >> up sqlmap or whatever current app is hot right now? >> doesnt really seem like enough reason to hire anyone >> besides im not buying the whole "they do it because they are angry at >> society" plop >> ive been there.. they do it for the lulz >> >> >> Den 11. jan. 2012 06.18 skrev Laurelai <[email protected]>: >> >>> On 1/10/12 10:18 PM, Byron Sonne wrote: >>> >> Don't piss off a talented adolescent with computer skills. >>> > Amen! I love me some stylin' pwnage :) >>> > >>> > Whether they were skiddies or actual hackers, it's still amusing (and >>> > frightening to some) that companies who really should know better, in >>> > fact, don't. >>> > >>> And again, if companies hired these people, most of whom come from >>> disadvantaged backgrounds and are self taught they wouldn't have as much >>> a reason to be angry anymore. Most of them feel like they don't have any >>> real opportunities for a career and they are often right. Microsoft >>> hired some kid who hacked their network, it is a safe bet he isn't going >>> to be causing any trouble anymore. Talking about the trust issue, who >>> would you trust more the person who has all the certs and experience >>> that told you your network was safe or the 14 year old who proved him >>> wrong? We all know if that kid had approached microsoft with his exploit >>> in a responsible manner they would have outright ignored him, that's why >>> this mailing list exists, because companies will ignore security issues >>> until it bites them in the ass to save a buck. >>> >>> People are way too obsessed with having certifications that don't >>> actually teach practical intrusion techniques. If a system is so fragile >>> that teenagers can take it down with minimal effort then there is a >>> serious problem with the IT security industry. Think about it how long >>> has sql injection been around? There is absolutely no excuse for being >>> vulnerable to it. None what so ever. These kids are showing people the >>> truth about the state of security online and that is whats making people >>> afraid of them. They aren't writing 0 days every week, they are using >>> vulnerabilities that are publicly available. Using tools that are >>> publicly available, tools that were meant to be used by the people >>> protecting the systems. Clearly the people in charge of protecting these >>> system aren't using these tools to scan their systems or else they would >>> have found the weaknesses first. >>> >>> The fact that government organizations and large name companies and >>> government contractors fall prey to these types of attacks just goes to >>> show the level of hypocrisy inherent to the situation. Especially when >>> their solution to the problem is to just pass more and more restrictive >>> laws (as if that's going to stop them). These kids are showing people >>> that the emperor has no clothes and that's whats making people angry, >>> they are putting someones paycheck in danger. Why don't we solve the >>> problem by actually addressing the real problem and fixing systems that >>> need to be fixed? Why not hire these kids with the time and energy on >>> their hands to probe for these weaknesses on a large scale? The ones >>> currently in the job slots to do this clearly aren't doing it. I bet if >>> they started replacing these people with these kids it would shake the >>> lethargy out of the rest of them and you would see a general increase in >>> competence and security. Knowing that if you get your network owned by a >>> teenager will not only get you fired, but replaced with said teenager is >>> one hell of an incentive to make sure you get it right. >>> >>> >>> Yes they would have to be taught additional skills to round out what >>> they know, but every job requires some level of training and there are >>> quite a few workplaces that will help their employees continue their >>> education because it benefits the company to do so. This would be no >>> different except that the employees would be younger, and younger people >>> do tend to learn faster so it would likely take less time to teach these >>> kids the needed skills to round out what they already know than it would >>> to teach someone older the same thing. It is the same principal behind >>> teaching young children multiple languages, they learn them better than >>> adults. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> Because the ones in charge right now can't even seem to fire up sqlmap >> now and then to see if they are vuln. And if you really believe that they >> just do it for the lulz line... >> > > Well that's what you get when you let profit margins dictate security > policy. You guys act pretty tough when you argue with each other online but > you can't stand up to some corporate idiots? Sounds like this industry > could benefit from these kids even more since they are driving home the > points you all are supposed to be warning them about. >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
