Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

like i said
standing up for good policy does not mean it will be enforced

Den 12. jan. 2012 10.55 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

On 1/12/12 3:54 AM, doc mombasa wrote:

and you are obviously blindly stuck on a point and has no idea how it
actually works out there in "the real world"

in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its
their asses not mine
just going in and fixing a bug without the mandate is usually not a good
idea (if you want to keep your job so you can pay your bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an
employee its more about if your manager allows you the time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont think
that far ahead
i tried once reporting a very simple sql injection flaw to my manager
and including a proposed fix which would take all of 5 minutes to implement
18 months went by before that flaw was fixed because there was no
profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only know how to
fire up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are angry at
society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai <laurelai@xxxxxxxxxxxx>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
Don't piss off a talented adolescent with computer skills.
Amen! I love me some stylin' pwnage :)

Whether they were skiddies or actual hackers, it's still amusing (and
frightening to some) that companies who really should know better, in
fact, don't.

And again, if companies hired these people, most of whom come from
disadvantaged backgrounds and are self taught they wouldn't have as
a reason to be angry anymore. Most of them feel like they don't have
real opportunities for a career and they are often right. Microsoft
hired some kid who hacked their network, it is a safe bet he isn't
to be causing any trouble anymore. Talking about the trust issue, who
would you trust more the person who has all the certs and experience
that told you your network was safe or the 14 year old who proved him
wrong? We all know if that kid had approached microsoft with his
in a responsible manner they would have outright ignored him, that's
this mailing list exists, because companies will ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is so
that teenagers can take it down with minimal effort then there is a
serious problem with the IT security industry. Think about it how long
has sql injection been around? There is absolutely no excuse for being
vulnerable to it. None what so ever. These kids are showing people the
truth about the state of security online and that is whats making
afraid of them. They aren't writing 0 days every week, they are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the people
protecting the systems. Clearly the people in charge of protecting
system aren't using these tools to scan their systems or else they
have found the weaknesses first.

The fact that government organizations and large name companies and
government contractors fall prey to these types of attacks just goes to
show the level of hypocrisy inherent to the situation. Especially when
their solution to the problem is to just pass more and more restrictive
laws (as if that's going to stop them). These kids are showing people
that the emperor has no clothes and that's whats making people angry,
they are putting someones paycheck in danger. Why don't we solve the
problem by actually addressing the real problem and fixing systems that
need to be fixed? Why not hire these kids with the time and energy on
their hands to probe for these weaknesses on a large scale? The ones
currently in the job slots to do this clearly aren't doing it. I bet
they started replacing these people with these kids it would shake the
lethargy out of the rest of them and you would see a general increase
competence and security. Knowing that if you get your network owned by
teenager will not only get you fired, but replaced with said teenager
one hell of an incentive to make sure you get it right.

Yes they would have to be taught additional skills to round out what
they know, but every job requires some level of training and there are
quite a few workplaces that will help their employees continue their
education because it benefits the company to do so. This would be no
different except that the employees would be younger, and younger
do tend to learn faster so it would likely take less time to teach
kids the needed skills to round out what they already know than it
to teach someone older the same thing. It is the same principal behind
teaching young children multiple languages, they learn them better than

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Because the ones in charge right now can't even seem to fire up
sqlmap now and then to see if they are vuln. And if you really believe that
they just do it for the lulz line...

Well that's what you get when you let profit margins dictate security
policy. You guys act pretty tough when you argue with each other online but
you can't stand up to some corporate idiots? Sounds like this industry
could benefit from these kids even more since they are driving home the
points you all are supposed to be warning them about.

Ok, obviously you don't actually care about information security.
Enjoy kids owning your networks.

Yes and its the fault of people who feel too intimidated to stand up for
good policy. Thats *why* big companies are this way, your part of the

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
  • Re: Oh Dear, Where to start?!
    ... > from some of you with appropriate experience in the field of network ... > main focus and priority has been computer security and policy development. ... install certain updates. ...
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
  • Re: [fw-wiz] Security and Audit Policy
    ... what policy are you trying to impliment? ... > are no security and audit policies in place. ... > regarding this network. ... Disabled M$ Outlook and IE and replaced these with ...