Re: Rate Stratfor's Incident Response

[Laurelai <laurelai () oneechan org>]

On 1/12/12 11:12 AM, Valdis.Kletnieks () vt edu wrote:
> On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:
>
> > The problem is that we have criminalized too much here.  If some 14
> > year old comes to you and hands you supposedly secret documents, he is
> > behaving very ethically -- he is telling you that you have a
> > vulnerability, rather than simply trying to sell your secrets to a
> > competitor.  That sounds like a person who can be trusted to work for
> > you -- someone who could have easily betrayed you, but did not, and who
> > knew when and how to do the right thing.
> No, the person I *want* to hire doesn't come to me with a secret document,
> he comes to me and says "There's a hole in this web page that will leak
> secret documents, but I didn't actually download one to fully verify it".

And if they do that they will get told "Well how do you know it will 
actually leak secret documents since you didn't verify that it actually 
leaks them, stop wasting our time" We have all seen companies ignore 
vulnerabilities because the company claimed it was not exploitable when 
it was. Right now the FBI is claiming that they knew about the Stratfor 
hack and had informed people that their personal data was compromised, 
but we know this isnt true because live credit cards from the data leak 
were actually used after it became public, so again who are you going to 
trust the people who have been proven over and over to lie to the public 
about the state of their security or the people showing the world they 
are liars?
> > The people who are going to attack your system and then sell your
> > secrets on the black market are people who are not going to think in
> > the structured way that your engineers think.  They are going to do
> > things that your IT staff did not expect anyone to do.  They are going
> > to do things your IT staff did not even think about.  If the people in
> > your organization were not creative enough to do what the teenage
> > hacker did, then the teenage hacker has skills that are missing from
> > your team -- which can be restated as the teenager is someone you
> > should hire.
> No, it can be restated as "you want to hire someone with a skillset similar
> to that teenager".
>
> Would you hire that teenager to take several tens of thousands of cash to the
> bank unescorted?  No?  Then why are you hiring them into a position where
> they'll have basically unescorted access to similar amounts of valuables?
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/