Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Benjamin Kreuter <ben.kreuter () gmail com>
Date: Sat, 14 Jan 2012 16:53:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 14 Jan 2012 14:33:23 -0700 Sanguinarious Rose <SanguineRose () OccultusTerra com> wrote:
On the kiddies, I can't see the advantage of hiring a professional sqlmap and havij operator.
For a full-time position with benefits, no, there is no real advantage. However, if your own team cannot even do that much, then perhaps the kiddie should be be hired on a temporary or contract basis, to give a report of what sort of common vulnerabilities can be exploited.
I always report the vulns that I stumble upon (from my own email and such) and while I'm doing this in good faith, I would never dare to actively exploit that vuln for better proof, because if they sue me, they would win. So I try to keep it that way, that I cannot be held responsible, because I didn't broke any law.I do agree and can't see the real need for someone to actually prove it like that which is rather over the line in being illegal. It also requires more work then is even required to report it.
People are very bad with understanding hypothetical problems. As an example, my alma mater would (and perhaps still does) routinely send important, official emails about financial aid, tuition, etc. with a format like this: [stuff about finances that needs to be taken care of quickly] Click here to do [something important]: [link] There was no method available to verify that these emails actually came from the university's administration -- no digital signatures, nothing in the mail system that even checked that the message originated from a university IP address, nothing. I tried to bring this up with them, and even gave a live demonstration of spoofing an email address for the non-technical folks. It was not until an actually phishing attack was detected that any action was taken. Telling someone they have a vulnerable system will only affect change if they already take security seriously. Since most organizations still do not view security as central to the design of their systems, you need to really drive the point home with evidence. This means actually attacking the system, or at the very least giving some demonstration that the vulnerability is real and can really be attacked. - -- Ben - -- Benjamin R Kreuter UVA Computer Science brk7bx () virginia edu - -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJPEfl6AAoJEOV0+MnZK9ijV6sP/imaxMqZMoKFsY1ulSNiE9MN U/B3j90iSleznY184HP8Fdbs6iKHOemKXsG4t6PXetYDICv+OYpQxtGV8Gt8d8GG SG7eXuZqxbIMPcBS9Ozypt4V/VfXFAV4viyPyITphat4DPYs68aYQH36ENzD/HVF OIwfWAu05CsQd3p5tgAoWo7KYUB0XLtKSqe648OWPvM5UaX0yfb9qSryrmWEjxxI P3nOwodBcQDX1G7BwikRjrhTs98+Umczv6ijfXtdafv50/wurONcEsJC1SiJmqzv 6ZSp87jXxZWXgiJAqliSb9aXfZOj7xF1MUbj0oNVbPmx/uHStADIRxDM17pNm1Nf Doc0Ta+JUho4pDH40S+OB4PjzxeQEEcLmAUjqaPQgQ268DwRxi1iTAsyoYqdcJJL V78Db5hMrywWAeNEz7wjHDhEJmtmtnkcnxZEhqCx1AtSJIeHgqVKUY3TQrVhdBz/ 4siM5cOSBaLmxvNl43MJSbwtDaILF+UhCKWh86rV5GLCD9x8jKaT5NI1DXFA6BFk NObJeHIPlu/WTYKGOmRuqAkvet0ESYWct0XFMsj4Eugafo5jPqmRb1ASBICvzB5o xr79LueVYFy2ft7cAPyU2aSwl1WAFlEDLVDoe4FbNUXziYdHenDHmqJxjbDdK3Ul Zsryhbvmo3zpap+U8jpi =rugN -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Rate Stratfor's Incident Response, (continued)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 13)
- Re: Rate Stratfor's Incident Response Gage Bystrom (Jan 13)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response metasansana (Jan 17)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)