like i said standing up for good policy does not mean it will be enforced
Den 12. jan. 2012 10.55 skrev Laurelai <[email protected]>: > On 1/12/12 3:54 AM, doc mombasa wrote: > > and you are obviously blindly stuck on a point and has no idea how it > actually works out there in "the real world" > > in small companies you have freedom and ability to execute > in big companies not so much.. > > Den 12. jan. 2012 10.52 skrev Laurelai <[email protected]>: > >> On 1/12/12 3:47 AM, doc mombasa wrote: >> >> ok obviously you never worked for a big corporate entity :) >> sure standing up to them is fine >> after shouting about the bug for 4 months i thought bah why bother its >> their asses not mine >> just going in and fixing a bug without the mandate is usually not a good >> idea (if you want to keep your job so you can pay your bills that is..) >> >> Den 12. jan. 2012 10.41 skrev Laurelai <[email protected]>: >> >>> On 1/12/12 3:34 AM, doc mombasa wrote: >>> >>> i dont know if you ever worked for a big corporate entity? >>> like kovacs wrote its not about whether you can do it or not as an >>> employee its more about if your manager allows you the time to do it >>> pentesting doesnt change anything on the profits excel sheet >>> we can agree it looks bad when shit happens but they usually dont think >>> that far ahead >>> i tried once reporting a very simple sql injection flaw to my manager >>> and including a proposed fix which would take all of 5 minutes to implement >>> 18 months went by before that flaw was fixed because there was no >>> profits in allocating resources to fix it >>> and that webapp was the #1 money generator for that company >>> >>> Den 12. jan. 2012 10.29 skrev Laurelai <[email protected]>: >>> >>>> On 1/12/12 3:27 AM, doc mombasa wrote: >>>> >>>> just one question >>>> why should they hire the "skiddies" if most of them only know how to >>>> fire up sqlmap or whatever current app is hot right now? >>>> doesnt really seem like enough reason to hire anyone >>>> besides im not buying the whole "they do it because they are angry at >>>> society" plop >>>> ive been there.. they do it for the lulz >>>> >>>> >>>> Den 11. jan. 2012 06.18 skrev Laurelai <[email protected]>: >>>> >>>>> On 1/10/12 10:18 PM, Byron Sonne wrote: >>>>> >> Don't piss off a talented adolescent with computer skills. >>>>> > Amen! I love me some stylin' pwnage :) >>>>> > >>>>> > Whether they were skiddies or actual hackers, it's still amusing (and >>>>> > frightening to some) that companies who really should know better, in >>>>> > fact, don't. >>>>> > >>>>> And again, if companies hired these people, most of whom come from >>>>> disadvantaged backgrounds and are self taught they wouldn't have as >>>>> much >>>>> a reason to be angry anymore. Most of them feel like they don't have >>>>> any >>>>> real opportunities for a career and they are often right. Microsoft >>>>> hired some kid who hacked their network, it is a safe bet he isn't >>>>> going >>>>> to be causing any trouble anymore. Talking about the trust issue, who >>>>> would you trust more the person who has all the certs and experience >>>>> that told you your network was safe or the 14 year old who proved him >>>>> wrong? We all know if that kid had approached microsoft with his >>>>> exploit >>>>> in a responsible manner they would have outright ignored him, that's >>>>> why >>>>> this mailing list exists, because companies will ignore security issues >>>>> until it bites them in the ass to save a buck. >>>>> >>>>> People are way too obsessed with having certifications that don't >>>>> actually teach practical intrusion techniques. If a system is so >>>>> fragile >>>>> that teenagers can take it down with minimal effort then there is a >>>>> serious problem with the IT security industry. Think about it how long >>>>> has sql injection been around? There is absolutely no excuse for being >>>>> vulnerable to it. None what so ever. These kids are showing people the >>>>> truth about the state of security online and that is whats making >>>>> people >>>>> afraid of them. They aren't writing 0 days every week, they are using >>>>> vulnerabilities that are publicly available. Using tools that are >>>>> publicly available, tools that were meant to be used by the people >>>>> protecting the systems. Clearly the people in charge of protecting >>>>> these >>>>> system aren't using these tools to scan their systems or else they >>>>> would >>>>> have found the weaknesses first. >>>>> >>>>> The fact that government organizations and large name companies and >>>>> government contractors fall prey to these types of attacks just goes to >>>>> show the level of hypocrisy inherent to the situation. Especially when >>>>> their solution to the problem is to just pass more and more restrictive >>>>> laws (as if that's going to stop them). These kids are showing people >>>>> that the emperor has no clothes and that's whats making people angry, >>>>> they are putting someones paycheck in danger. Why don't we solve the >>>>> problem by actually addressing the real problem and fixing systems that >>>>> need to be fixed? Why not hire these kids with the time and energy on >>>>> their hands to probe for these weaknesses on a large scale? The ones >>>>> currently in the job slots to do this clearly aren't doing it. I bet >>>>> if >>>>> they started replacing these people with these kids it would shake the >>>>> lethargy out of the rest of them and you would see a general increase >>>>> in >>>>> competence and security. Knowing that if you get your network owned by >>>>> a >>>>> teenager will not only get you fired, but replaced with said teenager >>>>> is >>>>> one hell of an incentive to make sure you get it right. >>>>> >>>>> >>>>> Yes they would have to be taught additional skills to round out what >>>>> they know, but every job requires some level of training and there are >>>>> quite a few workplaces that will help their employees continue their >>>>> education because it benefits the company to do so. This would be no >>>>> different except that the employees would be younger, and younger >>>>> people >>>>> do tend to learn faster so it would likely take less time to teach >>>>> these >>>>> kids the needed skills to round out what they already know than it >>>>> would >>>>> to teach someone older the same thing. It is the same principal behind >>>>> teaching young children multiple languages, they learn them better than >>>>> adults. >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> Because the ones in charge right now can't even seem to fire up >>>> sqlmap now and then to see if they are vuln. And if you really believe that >>>> they just do it for the lulz line... >>>> >>> >>> Well that's what you get when you let profit margins dictate security >>> policy. You guys act pretty tough when you argue with each other online but >>> you can't stand up to some corporate idiots? Sounds like this industry >>> could benefit from these kids even more since they are driving home the >>> points you all are supposed to be warning them about. >>> >> >> Ok, obviously you don't actually care about information security. >> Enjoy kids owning your networks. >> > > Yes and its the fault of people who feel too intimidated to stand up for > good policy. Thats *why* big companies are this way, your part of the > problem. >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
