Re: Fwd: Rate Stratfor's Incident Response

[Kyle Creyts <kyle.creyts () gmail com>]

How many of those engaged in these attacks _could_ actually fix the vulns
they exploit? What is a good "rough estimate" in your opinion?
On Jan 11, 2012 12:47 AM, "Laurelai" <laurelai () oneechan org> wrote:

> On 1/10/12 11:32 PM, James Smith wrote:
> > Well I do agree with what you are stating. As I have seen incidents
> > like this happen to many times.
> > This mailing list is a big part of the IT Security community.
> >
> >
> >
> > -----Original Message----- From: Laurelai
> > Sent: Wednesday, January 11, 2012 1:18 AM
> > To: full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
> >
> > On 1/10/12 10:18 PM, Byron Sonne wrote:
> > > > Don't piss off a talented adolescent with computer skills.
> > > Amen! I love me some stylin' pwnage :)
> > >
> > > Whether they were skiddies or actual hackers, it's still amusing (and
> > > frightening to some) that companies who really should know better, in
> > > fact, don't.
> > And again, if companies hired these people, most of whom come from
> > disadvantaged backgrounds and are self taught they wouldn't have as much
> > a reason to be angry anymore. Most of them feel like they don't have any
> > real opportunities for a career and they are often right. Microsoft
> > hired some kid who hacked their network, it is a safe bet he isn't going
> > to be causing any trouble anymore. Talking about the trust issue, who
> > would you trust more the person who has all the certs and experience
> > that told you your network was safe or the 14 year old who proved him
> > wrong? We all know if that kid had approached microsoft with his exploit
> > in a responsible manner they would have outright ignored him, that's why
> > this mailing list exists, because companies will ignore security issues
> > until it bites them in the ass to save a buck.
> >
> > People are way too obsessed with having certifications that don't
> > actually teach practical intrusion techniques. If a system is so fragile
> > that teenagers can take it down with minimal effort then there is a
> > serious problem with the IT security industry. Think about it how long
> > has sql injection been around? There is absolutely no excuse for being
> > vulnerable to it. None what so ever. These kids are showing people the
> > truth about the state of security online and that is whats making people
> > afraid of them. They aren't writing 0 days every week, they are using
> > vulnerabilities that are publicly available. Using tools that are
> > publicly available, tools that were meant to be used by the people
> > protecting the systems. Clearly the people in charge of protecting these
> > system aren't using these tools to scan their systems or else they would
> > have found the weaknesses first.
> >
> > The fact that government organizations and large name companies and
> > government contractors fall prey to these types of attacks just goes to
> > show the level of hypocrisy inherent to the situation. Especially when
> > their solution to the problem is to just pass more and more restrictive
> > laws (as if that's going to stop them). These kids are showing people
> > that the emperor has no clothes and that's whats making people angry,
> > they are putting someones paycheck in danger. Why don't we solve the
> > problem by actually addressing the real problem and fixing systems that
> > need to be fixed? Why not hire these kids with the time and energy on
> > their hands to probe for these weaknesses on a large scale? The ones
> > currently in the job slots to do this clearly aren't doing it.  I bet if
> > they started replacing these people with these kids it would shake the
> > lethargy out of the rest of them and you would see a general increase in
> > competence and security. Knowing that if you get your network owned by a
> > teenager will not only get you fired, but replaced with said teenager is
> > one hell of an incentive to make sure you get it right.
> >
> >
> > Yes they would have to be taught additional skills to round out what
> > they know, but every job requires some level of training and there are
> > quite a few workplaces that will help their employees continue their
> > education because it benefits the company to do so. This would be no
> > different except that the employees would be younger, and younger people
> > do tend to learn faster so it would likely take less time to teach these
> > kids the needed skills to round out what they already know than it would
> > to teach someone older the same thing. It is the same principal behind
> > teaching young children multiple languages, they learn them better than
> > adults.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Yes I am aware they are, the ones who cry out that they are just script
> kiddies and such are the ones who are most likely to be vulnerable in my
> experience. Point is they still got owned, doesn't matter if the method
> was easy. In fact because it was easy should be an even greater concern
> to everyone here. The fact that Stratfor got owned like they did shows
> they were beyond negligent, HBGary was the same as was Sony. They
> shouldn't be trying to prosecute these kids they should go after these
> companies for grossly mishandling peoples personal information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/