Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response

From: Martijn Broos <martijn.broos () traxion com>
Date: Tue, 17 Jan 2012 14:09:13 +0100

Most of the problems start already at education. There is not enough focus during school time what security beholds and 
what consequences are of bad design, bad programming, bad architecture and bad security principles.  I know schoolbooks 
that even don't mention security at all or is explained within 2 chapters (let say 20 pages) of a 1000 pages book. This 
also includes PKI and encryption. Security is only taught by trial and error apparently nowadays. And after you have 
burnt your fingers a few times you hire an expensive guy who does less kiddies do but give you more of a good feeling.
If programmers are aware of security consequences, they would fix them in the first place or try to avoid them.
Using kiddies is merely showing the terrible state your programmers level is. When you have engineers that are security 
aware, lesser exploits will be found. You still would look for them anyway because trust is good, prove is better in 
this scientific world.  In general testers are regarded as lesser people, but imho you should encourage them to try to 
break your code. At least that is what I do as a software engineer. After they break down my code, my first response 
is, thanks how did you do it, so I can update my skills as well. But this is all before production off course.
Yes, you can use them but make sure you know where their loyalty lies.
So I vote for the use of kiddies (only in a controlled test environment). This could even be a public test site where 
this list could try to break the stuff as long as you tell me how you did it:) I know this takes the fun out of it for 
a few, but hey you cannot please all people in the world.

From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of E 
M
Sent: maandag 16 januari 2012 21:47
To: noloader () gmail com
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

I would say that we need both types: the skiddies and the others.
If you give to the skiddies enough fun at work they won't do something beyond the scope.
But their scope should be: I have a site/system(of course, the test one, not the production one!) break it!
They do it without being evil, even if they break it....the job was to break it in the first place.
Then the other security guy should go to the management with the pwnd dummy database/data and show them how bad it 
would be if it was the real one, and how easily it could be done.
Maybe this way the management provides more funding to the security of the business.
So, yes, hire the skiddies, but keep the other too.

________________________________
From: Jeffrey Walton <noloader () gmail com<mailto:noloader () gmail com>>
To: Laurelai <laurelai () oneechan org<mailto:laurelai () oneechan org>>
Cc: full-disclosure () lists grok org uk<mailto:full-disclosure () lists grok org uk>
Sent: Monday, January 16, 2012 9:58 PM
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On Sat, Jan 7, 2012 at 6:03 PM, Laurelai <laurelai () oneechan org<mailto:laurelai () oneechan org>> wrote:


Perhaps these companies should try to hire the kids owning them instead of
crying to the feds.

Perhaps Stratfor's competition should hire them. Nothing new, there:
the Eastern Telegraph Company hired Nevil Maskelyne after he hacked
Marconi in 1903 during a demonstration of wireless telegraphy. [1]
(Wireless hacking since 1903!).

[1] http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this 
message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon 
the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Fwd: Rate Stratfor's Incident Response, (continued)
- - - Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
    - Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
    - Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 16)
    - Re: Fwd: Rate Stratfor's Incident Response E M (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Martijn Broos (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Kurt Buff (Jan 07)
    - Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Elazar Broad (Jan 12)
  - Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)