Full Disclosure mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Wed, 11 Jan 2012 01:33:18 -0600
On 1/11/12 1:21 AM, Valdis.Kletnieks () vt edu wrote:
On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore.How safe a bet, exactly? Safe enough to bet your business on it? Microsoft has $40B in cash handy to survive on if something goes wrong. What's *your* Plan B if the kid you hired blabs about his gig and one of his buddies rapes your net using the credentials you gave the kid to do the pen test?Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong?A really clever guy by the name of Edsgar Dyjkstra once said "Testing can prove the presence of bugs, but not their absence". If you're getting a pen test done by somebody who says your network is safe, you're being ripped off. First, all networks have holes - if the pen tester comes up empty, it doesn't mean your net is secure, it means finding the holes needs somebody with better skills. Second, any pen tester who says "the net is safe" is a rip-off artist. At best, they can say "we did not find any of the following vulnerabilities we tested for. There may be vulnerabilities present that we were unable to find under the rules of engagement, which limit the scope and total time and money spent". Also, It's not just about who do you trust more to find the holes, it's who you trust to be professional while they do it. Or the "put your money where your mouth is (literally)" version - which one would you rather have working for your bank when they find a security hole that allows them access to your checking account?
If you guys cant scan for basic sql injection and these kids can then theres a real problem, thats my point here. The attacks are so simple children can do it and the so called experts arent finding them or just arent looking so im not sure if its incompetence or apathy behind these high profile hacks, you can teach these kids the same skillsets the so called experts have, but you cant teach incompetent people to be competent as its a willful mindset to not learn new things, and theres no solution for apathy other than hiring someone who cares. These kids have the motivation to learn new things and the energy to apply them. Something the people they are owning lack sorely. As the ancient proverb says "Set a thief to catch a thief" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 09)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Byron Sonne (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Message not available
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response James Smith (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ian Hayes (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Dan Ballance (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)