Full Disclosure mailing list archives

Re: [SPAM] Re: [Full-Disclosure] Full-disclosure Posts

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 18 Oct 2004 07:23:56 +0200 (CEST)

On Sun, 17 Oct 2004, yahoo@localhost wrote:

On Sat, 16 Oct 2004 19:13:18 -0700, Etaoin Shrdlu <shrdlu () deaddrop org> wrote:

Of course, anyone still using the term "hax0r" as though it were
meaningful might want to think further about what a "security
professional" might be


A security professional is someone who cares more about money than the
real issue of security at where they work. They don't go the extra
mile for the interests of security at where they work, as they don't
want to risk the job they're in.

My view is corporations should not employ uni graduates and
thirty-somethings to work in a security team. They very likely still
can't open a can of beans and certainly have no idea about the real
issues which face them. They follow company policy and go home at the
end of the day, and switch off.

The people who should be working at a security team should be
volunteers who have the real interests of the company in mind, instead
of money.

The security professional as we know it (uni graduate and 30
something) is not a hax0r, they are ph.d or whatever who are skilled
on an academic level, and thats as far as it goes, which in my opinion
isn't far enough.

Being a security professional is ment to be about passion, strictly
not money, in my humble opinion.

Stop employing academics and get the hackers in to do the job
properly, unpaid of course, at least to start off with, to make sure
they're joining the company for the right reasons. ;-)


Companies do not care about security. The CEO only works with numbers. If
bad security losses 100k per month but tightening things up loses 105k per
month on productivity they take the 5k per month profit regardless of who
is doing security and leave it open.

It has very little to do with attitude on the security staff. If you want
to work corporate you need to understand corporate thinking.

Taking simple countermeasures to prevent damagae from things like a
Slammer Worm are laughed at untill they get hit and loose 2 days worth of
business. Then they start screaming to get it installed yesterday.

You do not have to like it but that is the sad state we are in.

Hugo.

-- 
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooij () vanderkooij org             http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: [Full-Disclosure] Full-disclosure Posts Sir Robert Mortimer Thrip (Oct 16)
- <Possible follow-ups>
- [Full-Disclosure] Full-disclosure Posts yahoo@localhost (Oct 16)
  - Re: [Full-Disclosure] Full-disclosure Posts Mike Barushok (Oct 16)
  - Re: [Full-Disclosure] Full-disclosure Posts yossarian (Oct 16)
  - Re: [Full-Disclosure] Full-disclosure Posts Etaoin Shrdlu (Oct 16)
  - Re: [Full-Disclosure] Full-disclosure Posts 404 (Oct 17)
    - Re: [Full-Disclosure] Full-disclosure Posts yahoo@localhost (Oct 17)
    - Re: [SPAM] Re: [Full-Disclosure] Full-disclosure Posts Hugo van der Kooij (Oct 17)
    - Re: [SPAM] Re: [Full-Disclosure] Full-disclosure Posts xploitable (Oct 18)
- Re: [Full-Disclosure] Full-disclosure Posts Mister Xploitable Gmail (Oct 16)
- RE: [Full-Disclosure] Full-disclosure Posts Todd Towles (Oct 17)
  - Re: [Full-Disclosure] Full-disclosure Posts backyard@yahoo-inc (Oct 17)
    - Re: [Full-Disclosure] Full-disclosure Posts yossarian (Oct 17)
    - Re: [Full-Disclosure] Full-disclosure Posts xploitable (Oct 18)
    - Re: [Full-Disclosure] Full-disclosure Posts yossarian (Oct 18)
    - WSDL / UDDI scanner n30 (Oct 22)
- RE: [Full-Disclosure] Full-disclosure Posts Todd Towles (Oct 18)