Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 11:20:31 -0600
On 1/12/12 11:12 AM, Valdis.Kletnieks () vt edu wrote:
On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:The problem is that we have criminalized too much here. If some 14 year old comes to you and hands you supposedly secret documents, he is behaving very ethically -- he is telling you that you have a vulnerability, rather than simply trying to sell your secrets to a competitor. That sounds like a person who can be trusted to work for you -- someone who could have easily betrayed you, but did not, and who knew when and how to do the right thing.No, the person I *want* to hire doesn't come to me with a secret document, he comes to me and says "There's a hole in this web page that will leak secret documents, but I didn't actually download one to fully verify it".
And if they do that they will get told "Well how do you know it will actually leak secret documents since you didn't verify that it actually leaks them, stop wasting our time" We have all seen companies ignore vulnerabilities because the company claimed it was not exploitable when it was. Right now the FBI is claiming that they knew about the Stratfor hack and had informed people that their personal data was compromised, but we know this isnt true because live credit cards from the data leak were actually used after it became public, so again who are you going to trust the people who have been proven over and over to lie to the public about the state of their security or the people showing the world they are liars?
The people who are going to attack your system and then sell your secrets on the black market are people who are not going to think in the structured way that your engineers think. They are going to do things that your IT staff did not expect anyone to do. They are going to do things your IT staff did not even think about. If the people in your organization were not creative enough to do what the teenage hacker did, then the teenage hacker has skills that are missing from your team -- which can be restated as the teenager is someone you should hire.No, it can be restated as "you want to hire someone with a skillset similar to that teenager". Would you hire that teenager to take several tens of thousands of cash to the bank unescorted? No? Then why are you hiring them into a position where they'll have basically unescorted access to similar amounts of valuables? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ian Hayes (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Dan Ballance (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Ian Hayes (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Byron Sonne (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Jeffrey Walton (Jan 12)
- Re: Rate Stratfor's Incident Response BMF (Jan 12)