Well, I didn't take offense...alot of compaines are very lazy with security...just wanted to throw in my 2 cents.
Just look at all the pen-testing compaines..that throw you a nessus report with a logo on top of it. They have never tested the reported hole with another method or even tried any other hacking method (social). Don't worry I see your point too clear. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, October 17, 2004 2:54 PM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Full-Disclosure Posts > > On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles > <[EMAIL PROTECTED]> wrote: > > I agree with your idea, but I am one of those uni graduate/20 > > something professionals. I am very passion about my work and the > > security of the company I work for. I work in a rural state and the > > money isn't as high as some other places. I took a pay cut > to work in > > the IT field when I finished college. > > > > Maybe you weren't talking about people like myself in your > statement > > (since most people that are part of FD are here to be on > the edge of > > security and around people that understand them) but it seemed like > > you were talking in pretty general terms....with that in > mind I have > > to disagree with you that all the 20 something > professionals are not > > good security professionals. A lot of the older folks are > sitting in > > the corner talking about their 1980 modems, while some 15 year old > > from south amercian uses a three year old exploit on their > > misconfigured Apache webserver and defaces it. > > > > I agree that you have to love computers...you have to eat and sleep > > computers/security to be good in the field and a lot of > people in the > > IT field aren't like that. Kinda sad, but I will have their job one > > day..so..I just smile. > > > > > My motivation is yahoo.. these guys need to wake up more. > Everything about them says they are out of touch with the > threats of today. If you report X, they patch X, even if they > know Y and Z are vulnerable, the apparent attitude is to > leave Y and Z until they get reported or become an active > problem, because they want to move onto the next reported > vulnerability. From the idea I get, its all about what looks > good on paper and productivity. I mean, I bet yahoo hand out > most productive security employee of the month awards and > stuff. Its all screwed up and wrong. > > My stance is.. yahoo sack all the ones who are in it for the > money, keep the employees who think like a hacker, then > recruit some real life hackers from the underground. That > combination is a winning security team, not the current team > who in my opinion are out of touch and out dated for the > threats of the 21st century. > > As for misconfigured web servers with 3 year old exploit. > Yahoo! don't even need exploits and misconfigured web > servers. They do fine by cutting corners and taking short > cuts in security. Half the network is vulnerable to all > manner of stuff. In my opinion, the only threat to Yahoo are > Yahoo themselves, not hackers. > > Sorry to go on about yahoo, but its something i'm passionate about. > > Feel free to hit the block sender button, I fully understand. > > :-) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
