Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Benjamin Kreuter <ben.kreuter () gmail com>
Date: Wed, 11 Jan 2012 12:57:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 10 Jan 2012 21:39:07 -0800 Ian Hayes <cthulhucalling () gmail com> wrote:
On Tue, Jan 10, 2012 at 9:18 PM, Laurelai <laurelai () oneechan org> wrote:On 1/10/12 10:18 PM, Byron Sonne wrote:Don't piss off a talented adolescent with computer skills.Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't.And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right.[citation needed]Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore.Are you proposing that we reward all such behavior with jobs? I've always wanted to be a firefighter. Forget resumes, job applications and interviews, I'm going to set people's houses on fire.
No, it is more like you see a house on fire, call 911, then clear the road so that firefighters can get to the house. You know, someone who is helping the professionals do their job?
By your logic, an arsonist is not only the best person to combat other arsonists, but due to his obviously unique insight into the nature of fire, simply must know how best to fight a fire as opposed to someone who went to school for years to learn the trade.
Unless you are going to give me a proof that no attack on my network could be successful, you need people who can find their way through the cracks to evaluate the efficacy of your security system. If the people you already hired to maintain your security are not able to identify threats and design systems that are resilient to those threats, then you need to hire someone else. A security team will benefit from having someone poke holes in their design.
Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong?This is asinine. WHY would I want to hire someone for a position of trust that just committed a crime, or at the very least acted in an unethical manner?
The problem is that we have criminalized too much here. If some 14 year old comes to you and hands you supposedly secret documents, he is behaving very ethically -- he is telling you that you have a vulnerability, rather than simply trying to sell your secrets to a competitor. That sounds like a person who can be trusted to work for you -- someone who could have easily betrayed you, but did not, and who knew when and how to do the right thing.
More than anything, that person has proven that while he *might* have the technical chops, he certainly lacks the ethics and decision making skills to operate in the grown-up world.
No, it means you have someone whose mind is not confined to the structure that most adults' minds are confined to. There is a scene from the movie "Operation Takedown" that comes to mind here: Cop: "Don't worry, all our radios use encryption." Hacker: "What do you think he'll do when he hears a bunch of encrypted radio transmissions?" People who go through years of schooling often have the same view of a system, and often think about things the same way. They learn a particular model of the world, and like every other model there is a point beyond which the real world diverges from the model. It helps to have someone who can point out where the model will break down, which is either someone who is very intelligent or someone who thinks about things differently. A hacker who comes to you and explains that they have broken your security system is going to fit into one of those categories. The people who are going to attack your system and then sell your secrets on the black market are people who are not going to think in the structured way that your engineers think. They are going to do things that your IT staff did not expect anyone to do. They are going to do things your IT staff did not even think about. If the people in your organization were not creative enough to do what the teenage hacker did, then the teenage hacker has skills that are missing from your team -- which can be restated as the teenager is someone you should hire. Even if you were only attacked by a script kiddie, you should at least talk to them about a possible job. If you are vulnerable to the common exploits that script kiddies are using, then you probably need someone in your organization who is familiar with script kiddie tools and forums. Relying on the police to track script kiddies down while your own high-paid security staff fails to protect your system from known exploits is a pretty bad approach to security. - -- Ben
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- -- Benjamin R Kreuter UVA Computer Science brk7bx () virginia edu - -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJPDc2jAAoJEOV0+MnZK9ijPBcP/3vlUcJtu03wX9LkAk8e5zQW pj9PgBdGOAf4ICLvO/tB240jAyUJ+nGUB79MJIPeCX9gGNtUF2+meqa9c8Vp1xrc y13ehvtFcfHiq5UCuDmhnD8exdkSMexuf9EdNF9euD23ZkAzg071HCfiYXIxlqTe WdwbhOY0Dfh7aXn6p7WxPeGbCPY6Yv8d7f/xmSMxjh1f3IYpsAfPIwTjbtkSdmv0 dSYLdpc49bacEMSNgdconemAMXicqG02TcBwIL/EYO3rJNX40fmEWgPjg1EGzSKm pK5z9cHoos4sHJMOn5hniNnQ9ewZbMWnW6b8rVO5su35UYKQNr7ghZSB1AHIBNpG YOTydofS42dZ1IqxReuHuTaIjDOfSdSPtTfLlTfDAEG/lAbtH1TkhYtD+3TXNPxS k2tQk9xw1lB19E7Dd4ZRzPZc/mmOOT22Do7jYAHAC+zcFFApjqBNTLxaHALi1Ae7 IRGkS6hPnoY9oQskLy7JLfJXmipG6th+3CX3Seq7DbghSCkiWUzj1Zpxj2R2VyX7 ICtqC95tUXDnXcYcmjA9G2qW6qe2cxiewSzmlYo8D1x5xhKWiDZFZxqn9YTrt809 KlVDvypFabgpla2d0t+7o9zX6NKnX3L3YlES8LV1k+IQHp5Ra+oVBhEdjJ9YQ5pi MXRTFg898J2GmZo1p9Se =egzl -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ian Hayes (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Dan Ballance (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Ian Hayes (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Byron Sonne (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)