Re: Fwd: Rate Stratfor's Incident Response

["J. von Balzac" <jhm.balzac () gmail com>]

> Most of the kids are skript kiddies, and don't really understand the *defense*
> end of the security business very well.  Sure, some may be better than skript
> kiddies, and may be *incredible* at finding a memory overlay or an SQL
> injection, but do they know how to *secure* against *everything*?
>
> Does that kid know anything about "continuity of operations"? How to negotiate
> with network providers to guarantee diverse cable paths?  How to set up proper
> audit trails so they can figure out what happened after the fact? How to deal
> with physical security issues (how do you know the guy at the door works for
> Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
> evidence" order?  How to secure systems against insider threats and
> embezzlement (still a big problem, even if hackers get more news time)? How to
> ensure proper backups get done (this can be very non-trivial if you have
> multiple petabytes of storage, and need to do point-in-time recoveries)? How to
> do all the other things involved in actually making a data processing facility
> *secure*?

Warning: my message is about semantics.

Valdis you make me curious - how do you know that most are kids, and
script kiddies? The label 'script kiddies' has been used for over 20
years and well, kids do grow old... aren't the script kiddies really
"script men" these days? The label "script kiddie" tends to downplay
their existence. It has a tone of "strong security officers, men of
renown, men with beards" who look down on those petty script kiddies
from their high places of arcane knowledge possessed by a mere few.

Isn't it more likely that the people who massively pwned Stratfor are
indeed mature and serious? It's easy to establish that "the lulzboat
people" for lack of a better term, are more mature than the
technicians at Stratfor will ever be. Better to call them "security
kiddies", I can understand that.

Of course it's common to refer to script kiddies in mailing lists and
to tech savvy people. As I'm not a pro I wonder if you guys (the
professional pen testers) refer to these people as script kiddies when
you talk with your clients.

Maybe 'penners' would be a better word, because even the word 'hacker'
is too broad. I can't stand it when 'laymen' refer to 'hackers' on
every occasion.

Jan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/