Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Vanja Hrustic (vanja@vanja.com)
Date: 05/29/02


Date: Wed, 29 May 2002 16:51:08 +0700
From: Vanja Hrustic <vanja@vanja.com>
To: pen-test@securityfocus.com

On Tue, 28 May 2002 12:05:43 -0600 (MDT)
Alfred Huger <ah@securityfocus.com> wrote:

> http://www.nextgenss.com/news/vna.html

It won't make any difference whatsoever. It's time to realize that 'we'
don't make any difference.

Vendors still don't react to problems, silly bugs are still present in
software, admins still don't patch/upgrade, users still click on
attachments and download screen savers.

Management still wants security audits so that they can blame the security
company later when they get hacked. Client's admins still look interested
when you explain them security issues, but moment you're gone things are
back to 'normal'. Blame game (vendor/client) will go on for years to come
- client can't fix the security problems because it will break critical
production apps and vendor will keep on explaining how having
world-writable /.rhosts is not a problem. You just CAN'T do anything about
that (unless some serious money is lost).

No matter what 'we' do, things will remain the same, since 'we' don't have
any authority. All the authority 'we' *think* 'we' have is in our small
security world. John Doe couldn't care less what 'we' think or do.

My guess is that soon some 'organizations' will be formed by govts, and
will decide to "take over" the security issues, since it is obvious that
Internet and its' users can not do it on their own (we're all small kids,
and big daddy will take care of us).

Side-effect might be a feature which will enable naughty 'researchers' to
spend more time in jail than someone who rapes or kills.

People are scared of what they don't understand. Simple as it. And 99% of
the planet (all govt and policy makers included) don't understand
security...

Vanja

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages