Re: Fwd: Rate Stratfor's Incident Response

[Laurelai <laurelai () oneechan org>]

On 1/12/12 3:34 AM, doc mombasa wrote:
> i dont know if you ever worked for a big corporate entity?
> like kovacs wrote its not about whether you can do it or not as an 
> employee its more about if your manager allows you the time to do it
> pentesting doesnt change anything on the profits excel sheet
> we can agree it looks bad when shit happens but they usually dont 
> think that far ahead
> i tried once reporting a very simple sql injection flaw to my manager 
> and including a proposed fix which would take all of 5 minutes to 
> implement
> 18 months went by before that flaw was fixed because there was no 
> profits in allocating resources to fix it
> and that webapp was the #1 money generator for that company
>
> Den 12. jan. 2012 10.29 skrev Laurelai <laurelai () oneechan org 
> <mailto:laurelai () oneechan org>>:
>
>     On 1/12/12 3:27 AM, doc mombasa wrote:
> >     just one question
> >     why should they hire the "skiddies" if most of them only know how
> >     to fire up sqlmap or whatever current app is hot right now?
> >     doesnt really seem like enough reason to hire anyone
> >     besides im not buying the whole "they do it because they are
> >     angry at society" plop
> >     ive been there.. they do it for the lulz
> >
> >     Den 11. jan. 2012 06.18 skrev Laurelai <laurelai () oneechan org
> >     <mailto:laurelai () oneechan org>>:
> >
> >         On 1/10/12 10:18 PM, Byron Sonne wrote:
> >         >> Don't piss off a talented adolescent with computer skills.
> >         > Amen! I love me some stylin' pwnage :)
> >         >
> >         > Whether they were skiddies or actual hackers, it's still
> >         amusing (and
> >         > frightening to some) that companies who really should know
> >         better, in
> >         > fact, don't.
> >         >
> >         And again, if companies hired these people, most of whom come
> >         from
> >         disadvantaged backgrounds and are self taught they wouldn't
> >         have as much
> >         a reason to be angry anymore. Most of them feel like they
> >         don't have any
> >         real opportunities for a career and they are often right.
> >         Microsoft
> >         hired some kid who hacked their network, it is a safe bet he
> >         isn't going
> >         to be causing any trouble anymore. Talking about the trust
> >         issue, who
> >         would you trust more the person who has all the certs and
> >         experience
> >         that told you your network was safe or the 14 year old who
> >         proved him
> >         wrong? We all know if that kid had approached microsoft with
> >         his exploit
> >         in a responsible manner they would have outright ignored him,
> >         that's why
> >         this mailing list exists, because companies will ignore
> >         security issues
> >         until it bites them in the ass to save a buck.
> >
> >         People are way too obsessed with having certifications that don't
> >         actually teach practical intrusion techniques. If a system is
> >         so fragile
> >         that teenagers can take it down with minimal effort then
> >         there is a
> >         serious problem with the IT security industry. Think about it
> >         how long
> >         has sql injection been around? There is absolutely no excuse
> >         for being
> >         vulnerable to it. None what so ever. These kids are showing
> >         people the
> >         truth about the state of security online and that is whats
> >         making people
> >         afraid of them. They aren't writing 0 days every week, they
> >         are using
> >         vulnerabilities that are publicly available. Using tools that are
> >         publicly available, tools that were meant to be used by the
> >         people
> >         protecting the systems. Clearly the people in charge of
> >         protecting these
> >         system aren't using these tools to scan their systems or else
> >         they would
> >         have found the weaknesses first.
> >
> >         The fact that government organizations and large name
> >         companies and
> >         government contractors fall prey to these types of attacks
> >         just goes to
> >         show the level of hypocrisy inherent to the situation.
> >         Especially when
> >         their solution to the problem is to just pass more and more
> >         restrictive
> >         laws (as if that's going to stop them). These kids are
> >         showing people
> >         that the emperor has no clothes and that's whats making
> >         people angry,
> >         they are putting someones paycheck in danger. Why don't we
> >         solve the
> >         problem by actually addressing the real problem and fixing
> >         systems that
> >         need to be fixed? Why not hire these kids with the time and
> >         energy on
> >         their hands to probe for these weaknesses on a large scale?
> >         The ones
> >         currently in the job slots to do this clearly aren't doing
> >         it.  I bet if
> >         they started replacing these people with these kids it would
> >         shake the
> >         lethargy out of the rest of them and you would see a general
> >         increase in
> >         competence and security. Knowing that if you get your network
> >         owned by a
> >         teenager will not only get you fired, but replaced with said
> >         teenager is
> >         one hell of an incentive to make sure you get it right.
> >
> >
> >         Yes they would have to be taught additional skills to round
> >         out what
> >         they know, but every job requires some level of training and
> >         there are
> >         quite a few workplaces that will help their employees
> >         continue their
> >         education because it benefits the company to do so. This
> >         would be no
> >         different except that the employees would be younger, and
> >         younger people
> >         do tend to learn faster so it would likely take less time to
> >         teach these
> >         kids the needed skills to round out what they already know
> >         than it would
> >         to teach someone older the same thing. It is the same
> >         principal behind
> >         teaching young children multiple languages, they learn them
> >         better than
> >         adults.
> >
> >         _______________________________________________
> >         Full-Disclosure - We believe in it.
> >         Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >         Hosted and sponsored by Secunia - http://secunia.com/
>     Because the ones in charge right now can't even seem to fire up
>     sqlmap now and then to see if they are vuln. And if you really
>     believe that they just do it for the lulz line...
Well that's what you get when you let profit margins dictate security 
policy. You guys act pretty tough when you argue with each other online 
but you can't stand up to some corporate idiots? Sounds like this 
industry could benefit from these kids even more since they are driving 
home the points you all are supposed to be warning them about.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/