Full Disclosure mailing list archives
Re: Security Industry Under Scrutiny: Part 3
From: John <johnpf () atnet net au>
Date: Wed, 11 Dec 2002 12:52:10 +1000
sockz loves you wrote:
----- Original Message ----- From: Silvio Cesare <silvio () big net au> Date: Fri, 6 Dec 2002 15:15:56 +1100 To: sockz loves you <sockz () email com> Subject: Re: [Full-disclosure] Security Industry Under Scrutiny: Part 3The presentations provided visibly show the source to "script kiddy" usage goes through a disclosure process.. The "script kiddies" are therefore the only adverseries you display.what others should i have included that were relative to the debate? i assumed that if i was describing the flow of information between whitehats and script kiddies, then i would not need to list any other adversaries because they would have been outside the scope of the email. perhaps i was wrong? then again you could mean here that fake-whitehats with fake-advisories are also kinds of adversaries? i am not clear on this.
Sockz,As of a very few years ago it was 'generally considered' that the greatest security risk that could involve monetory costs was from the disgruntled employee. I wouldn't be surprised if the potential cost of IIS/Lookout worms has now taken that 'leadership' position. But the capacity for a pissed-off employee to blow away a database or file system should not be trivialised. Look at how many root exploits rely on gaining a local shell!
Just a simple (while true ; do mkdir a ; cd a ; done ) can incapacitate a server if done at the right time in the right filesystem. As well as annoy the sysadmin, and in turn cost money. Inode exhaustion is not nice lol. This is why aging hippies like myself were so annoying in our day - we realised that the biggest threat to any information system was through Social Engineering, _not_ through exploit code disclosure.
If I can convince you that I am a Sun Engineer (Hey, I can make a business card that looks like I'm a Sun Engineer _very_ easily) and I have some 'secret patch we're not disclosing to the script kiddies' that I'm here to install on your box, and I have my Evil Friend waiting on the phone line on the card (we've managed to patch into the phone exchange in the not so secure tunnel under the xxxxxxxx building [Building not disclosed because there IS a tunnel I can get at Telstra's exchange with... regardless of the nature of this list I'm not going to tell, I got in trouble in my youth and I'm too old for that shit anymore.] so it's really hard to find us afterward) then I can do all sorts of bad things to your servers. I only need a shave to be completely unrecognisable.
btw, was good to finally meet you in person last Sunday, I don't believe that the image you present on this list does you any justice whatsoever. There are depths to you that may not be apparent to those who only know you through your posts here
Just a few things to consider, John _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security Industry Under Scrutiny: Part 3 sockz loves you (Dec 05)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part 3 Steve W. Manzuik (Dec 05)
- RE: Security Industry Under Scrutiny: Part 3 sockz loves you (Dec 05)
- Re: Security Industry Under Scrutiny: Part 3 Silvio Cesare (Dec 05)
- RE: Security Industry Under Scrutiny: Part 3 Richard M. Smith (Dec 06)
- Re: Security Industry Under Scrutiny: Part 3 Silvio Cesare (Dec 05)
- RE: Security Industry Under Scrutiny: Part 3 John . Airey (Dec 06)
- Re: Security Industry Under Scrutiny: Part 3 sockz loves you (Dec 09)
- Re: Security Industry Under Scrutiny: Part 3 David Howe (Dec 10)
- Re: Security Industry Under Scrutiny: Part 3 John (Dec 10)