RE: [Full-Disclosure] Full-disclosure Posts

["Todd Towles" <toddtowles () brookshires com>]

Well, I didn't take offense...alot of compaines are very lazy with
security...just wanted to throw in my 2 cents. 

Just look at all the pen-testing compaines..that throw you a nessus
report with a logo on top of it. They have never tested the reported
hole with another method or even tried any other hacking method
(social). Don't worry I see your point too clear. 

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> backyard@yahoo-inc
> Sent: Sunday, October 17, 2004 2:54 PM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-Disclosure] Full-disclosure Posts
>
> On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles 
> <toddtowles () brookshires com> wrote:
> > I agree with your idea, but I am one of those uni graduate/20 
> > something professionals. I am very passion about my work and the 
> > security of the company I work for. I work in a rural state and the 
> > money isn't as high as some other places. I took a pay cut 
> to work in 
> > the IT field when I finished college.
> >
> > Maybe you weren't talking about people like myself in your 
> statement 
> > (since most people that are part of FD are here to be on 
> the edge of 
> > security and around people that understand them) but it seemed like 
> > you were talking in pretty general terms....with that in 
> mind I have 
> > to disagree with you that all the 20 something 
> professionals are not 
> > good security professionals. A lot of the older folks are 
> sitting in 
> > the corner talking about their 1980 modems, while some 15 year old 
> > from south amercian uses a three year old exploit on their 
> > misconfigured Apache webserver and defaces it.
> >
> > I agree that you have to love computers...you have to eat and sleep 
> > computers/security to be good in the field and a lot of 
> people in the 
> > IT field aren't like that. Kinda sad, but I will have their job one 
> > day..so..I just smile.
>
>
> My motivation is yahoo.. these guys need to wake up more. 
> Everything about them says they are out of touch with the 
> threats of today. If you report X, they patch X, even if they 
> know Y and Z are vulnerable, the apparent attitude is to 
> leave Y and Z until they get reported or become an active 
> problem, because they want to move onto the next reported 
> vulnerability. From the idea I get, its all about what looks 
> good on paper and productivity. I mean, I bet yahoo hand out 
> most productive security employee of the month awards and 
> stuff. Its all screwed up and wrong.
>
> My stance is.. yahoo sack all the ones who are in it for the 
> money, keep the employees who think like a hacker, then 
> recruit some real life hackers from the underground. That 
> combination is a winning security team, not the current team 
> who in my opinion are out of touch and out dated for the 
> threats of the 21st century.
>
> As for misconfigured web servers with 3 year old exploit. 
> Yahoo! don't even need exploits and misconfigured web 
> servers. They do fine by cutting corners and taking short 
> cuts in security. Half the network is vulnerable to all 
> manner of stuff. In my opinion, the only threat to Yahoo are 
> Yahoo themselves, not hackers.
>
> Sorry to go on about yahoo, but its something i'm passionate about.
>
> Feel free to hit the block sender button, I fully understand. 
>
> :-)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html