Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Should I Be Worried?

from [bkfsec] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Should I Be Worried?
Date: Thu, 27 Apr 2006 10:17:35 -0400 
Sol Invictus wrote:

And THAT my friends is why it IS so hard! People know that if its only one person that knows about it, sooner or later they will shut up and move on. If you're gonna watch your stuff anyway, why not contact the credit bureaus and put an alert on your file and then go FD!

In the words of our fore fathers, "United we Stand!  Divided we fall!"

Thank you for being one of the sheep that makes the rest of our jobs harder.


Not everyone's cut out for that kind of responsibility. People have different considerations and things that drive them.

The reason it's so hard is not for lack of talking but rather for lack of caring. Having worked in both the educational and corporate world I can say, beyond a shadow of a doubt, that what we say here doesn't really reach them for the most part. It reaches software producers, yes... and that was my original point. Appointment jobs are CYA jobs and bandaids are better than fixes in those situations.

The best way to affect that kind of change is to change the corporate culture -- which is a lot harder than it looks.

Many certified security professionals are taught that risk management is all about cost versus loss. It's like in fight club... it's the formula. a + b + c == x. If x is less than the cost of combined losses then companies don't fix it because it's counterproductive. It's roughly the same in organizations like universities only sometimes worse because there are all manner of divisions of labor and decisions made and deals appropriated that are there just for internal politics and job security for certain individuals.

What has to be considered is the fact that cost, in this case, is from the side of the institution. My bank account, for instance, means a lot more to me than it does to my bank. To my bank, I'm a very small percentage of the funds they hold. To me, my bank account is my ability to pay my rent this month.

The whole situation won't change until the corporate culture changes to stop being selfish and start considering the interests of the customer. And we're a long way away from that happening, unfortunately.

            -bkfsec

p.s. I understand what you're saying, though... that our voices increase the combined cost to the organization driving them harder to fix things... this is true... but many organizations will just try to shift those costs back to you through legal means. We have to pick and choose our battles. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-disclosure] Internet Explorer User Interface Races, Redeux, Antczak, Ed
Next by Date:  [Full-disclosure] bypassing Windows Domain Group Policy Objects, Exibar
Previous by Thread:  Re: [Full-disclosure] Should I Be Worried?, Sol Invictus
Next by Thread:  [Full-disclosure] [EEYEB-20060227] Juniper Networks SSL-VPN Client Buffer Overflow, eEye Advisories
Indexes:  [Date] [Thread] [Top] [All Lists]