Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Rate Stratfor's Incident Response

From: Dan Ballance <tzewang.dorje () gmail com>
Date: Wed, 11 Jan 2012 14:43:58 +0000
It was my assumption also - but are we sure this attack was through a
"trivial, well-known attack vector"?


On 11 January 2012 14:40, Laurelai <laurelai () oneechan org> wrote:

On 1/11/12 8:39 AM, Ferenc Kovacs wrote:



Because the ones with the so called ethics either lack the technical
chops or lack the enthusiasm to find simple vulnerabilities. Not very
ethical to take a huge paycheck and not do your job if you ask me.



If the only thing missing to secure those systems was somebody being able to
use sqlmap and xss-me, then that could be fixing without hiring people who
already proved that they aren't trustworthy.
from my experience, the lack of security comes from the management, you can
save money on that (and qa) on the short run.
so companies tend to hire QSA companies to buy the paper which says that
they are good, when in fact they aren't.
most of them don't wanna hear that they are vulnerable and take the risks
too lightly.
if they would take it-security seriously it simply couldn't be owned through
trivial, well-known attack vectors.

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

:D at least one person here gets it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: