Dette har sikkert blitt spurt før, og jeg vet at administratorer ikke trenger å forsvare seg på slike fora. Men jeg må alikevel spørre nå.
For noen dager siden satt jeg inn en ny tråd der jeg linket til siste nummer av Zero Four Owned. En slags "avis" som kommer ut fra en blackhat gruppe, og som hacker kjente sikkerhetsforskere, men legger til en ganske tykk moral over.
De har f.eks. et veldig godt poeng i følgende paragraf i siste nummer (som jeg linket til):
Det var ikke noe hysj-hysj med innlegget, for vanlig presse har også fått med seg hendelsen:
http://www.theregister.co.uk/2009/07...minsky_hacked/
Så fint hvis administratoren som fjernet dette kan fortelle meg grunnen, slik at jeg ikke bryter reglene neste gang. For jeg føler at informasjonen i zf05 faktisk er veldig lærerik. Mye bra poenger, mange bra hacks (selv om de ikke sier detaljene, men legger inn kommentarer som "find the vuln" i koden der de antagelig kom inn).
Eller ble det fjernet basert på "perler for svin"?
For noen dager siden satt jeg inn en ny tråd der jeg linket til siste nummer av Zero Four Owned. En slags "avis" som kommer ut fra en blackhat gruppe, og som hacker kjente sikkerhetsforskere, men legger til en ganske tykk moral over.
De har f.eks. et veldig godt poeng i følgende paragraf i siste nummer (som jeg linket til):
Sitat av zf05
The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS
poisoning will destroy life as we know it. You have Matasano harvesting talent
and critiquing everyone, and then Ptacek can only announce the release of....a
graphical firewall management client. There's kingcope killing bugs and
dropping weaponized exploits while making no other contribution except putting
a smile on the face of kiddies. There's iDefense and their competitors selling
exploits and only doing research in how to make more exploits. There's Jeff
Moss running a conference under the hideous misnomer "Blackhat Briefings" where
the same researchers search for glory and present the same shit year after
year. There are people who just live press release by press release. And on top
of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
cares about virtualization one year and iPhones the next, every year forgetting
the lessons it should have picked up in the last.
If you are just someone looking to pay a fair price to not get owned, you find
out quickly that none of these people exist to help you. Very few people in
this industry have their income model based around actually making you more
secure. At best, some of them have it based around convincing you that you are
better off.
The very concept of "penetration testing" is fundamentally flawed. The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box. So if a site on a shared host is being tested, just
because site1.com is "secure" that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks. The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything. A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.
poisoning will destroy life as we know it. You have Matasano harvesting talent
and critiquing everyone, and then Ptacek can only announce the release of....a
graphical firewall management client. There's kingcope killing bugs and
dropping weaponized exploits while making no other contribution except putting
a smile on the face of kiddies. There's iDefense and their competitors selling
exploits and only doing research in how to make more exploits. There's Jeff
Moss running a conference under the hideous misnomer "Blackhat Briefings" where
the same researchers search for glory and present the same shit year after
year. There are people who just live press release by press release. And on top
of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
cares about virtualization one year and iPhones the next, every year forgetting
the lessons it should have picked up in the last.
If you are just someone looking to pay a fair price to not get owned, you find
out quickly that none of these people exist to help you. Very few people in
this industry have their income model based around actually making you more
secure. At best, some of them have it based around convincing you that you are
better off.
The very concept of "penetration testing" is fundamentally flawed. The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box. So if a site on a shared host is being tested, just
because site1.com is "secure" that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks. The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything. A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.
Vis hele sitatet...
http://www.theregister.co.uk/2009/07...minsky_hacked/
Så fint hvis administratoren som fjernet dette kan fortelle meg grunnen, slik at jeg ikke bryter reglene neste gang. For jeg føler at informasjonen i zf05 faktisk er veldig lærerik. Mye bra poenger, mange bra hacks (selv om de ikke sier detaljene, men legger inn kommentarer som "find the vuln" i koden der de antagelig kom inn).
Eller ble det fjernet basert på "perler for svin"?