Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux

from [n3td3v] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux
Date: Thu, 27 Apr 2006 20:51:37 +0100 
Georgi Guninski wrote:

dear "Matthew",

are you by any chance MCSE, MVP or something like this?


The folks I know at Yahoo and Google started being engineers when they
were like 24 and are still in the security industry at 30.
thirty-something is the prime age for corporate security, Its the age
you're in your prime. You can't beat it. The guys I know find hundreds
of bugs a year in Google and Yahoo and don't blink an eye lid about
the most serious of vulnerabilities. They report them to Yhaoo, Google
and forget. Some of them get released as patches, some don't.
Professionals don't care, they are doing a job. And these guys I know
aren't exactly whitehats, but while they're at work, they treat it as
a professional job, and whatever is found at work, stays at work. They
have a contract before they are allowed to be a security engineer,
that they need to keep it private, until the time is chosen for patch
release. And even then, they don't declare they found a particular
vulnerability, through choice. Its not being a whitehat, half the
folks I know are rogue employees, who work on seperate projects out of
work, and are blackhat happy, thats the difference between a mailing
list vulnerability researcher, and a researcher who isn't interested
in fame. Its about telling the vendor, sure, you can tell a mailing
list, like most mailing list folks do, but don't expect corporate
security policy to change or be rushed because you've typed up a
convincing "Vendor Response" article at the bottom of your advisory.
There is a clear distinction between fame hungry folks and folks who
just want to tell a vendor about something,a dn don't care if its
patched, and like I've said already, blackhat or whitehat doesn't come
into it, because theres folks working as security engineers ona 
professional level who also work in the underground on malicious
projects. which also they never disclose in public as being related to
them.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, Tim Bilbro
Next by Date:  RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, Michal Zalewski
Previous by Thread:  Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux, Matthew Murphy
Next by Thread:  Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux, Zh Linlin
Indexes:  [Date] [Thread] [Top] [All Lists]