The Internet's 10 most dangerous people you don't know

rsnake

Robert Hansen (who actually wore a suit, which was quite surprising to me) gave out a list of 10 people he thought were the most dangerous people for the internet that you don't actually know. These are people responsible for infrastructure or services that are important to the safety and ongoing functionality and yet are not generally recognized as important/dangerous people.

10. Network engineer at C|Net

They own com.com which is the craziest domain. If you owned that domain you could probably serve up malware and sniff a whole lot of e-mail that is accidentally sent to example.com.com

9. Giorgio Maone

He makes noscript which a lot of security people use.
They use it and never read the source.
He could be bribed/coerced into modifying the extension to do something different that is insecure.

8. Eddy Nigg StartCom

(could be any person at an ssl reseller). He can create a wildcard certificate for any domain. He has to try to trust people and yet shouldn't really trust people. Which allows man-in-the-middle quite easily.

7. John Doe at Authorize.net

They are the biggest online merchant service provider - they know credit card data for so many sites. It's arguably worse than Visa/Mastercard since nobody really cares about the merchants or their security and the merchants have a lot more data about the transaction (the specific domain it's coming from, for example). Further, if they just blackmailed people from sketchy sites then the end-user would assume it's the sketchy site doing it so a malicious person at one of these organizations (or who gets access to their data) could go undetected for a long time.

6. Check in engineer at Mozilla

They add something bad to the code like a sniffer or an SSL cert. He retracted this one, which makes sense because Mozilla isn't really more vulnerable than any other software vendor and they are much less popular.

5. Chirag and Floyd at Adwords

It's legitimate XSS on 50% of the internet? You could steal everything from lots of really important sites.

4. John Doe at Google's Postini

They read all your gmail. Inbound and outbound. Which means they actually see a fairly large amount of all e-mail. Privacy fail!

3. John Doe at 1 Wilshire

It's a major peering point for a lot of stuff on the internets, so they can snoop on and/or block lots of traffic.

2. John Doe at gtei.net

They control the IP addresses 4.2.2.2 and 4.2.2.3 which are DNS servers that a lot of people use because they are easy to remember. Many networking engineers and pieces of equipment are set to use these, so if they are abused they could cause massive problems.

1. iDefense, Verisign, Network Solutions

They control .com. Which is kinda important.

Buy his book - Detect Malice.

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Module

If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.

Recent Blog Posts

Improvements to Security in Drupal 7

Posted by greggles

0 comments
Why counting vulnerabilities is not a sufficient method of comparing product security

Posted by greggles

0 comments
Notes from Linux Security Tunables by Kees Cook

Posted by greggles

0 comments