Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Gage Bystrom <themadichib0d () gmail com>
Date: Fri, 13 Jan 2012 13:14:54 -0800
Exactly. People are mostly being ridiculous atm. If they told you about a vuln and did not take advantage of it they are innocent. By all means you have the right to investigate and make sure they didn't do anything else, but if they didn't they are innocent. The moment they take advantage of a vuln to door you, steal important system files, or steal confidential information they are guilty. Accidentally finding a document is not a crime either. I really hate physical analogies but I think this one is relevant: It would be like if someone found your wallet and saw your credit card, ssn card(which you shouldn't carry with you), and your drivers license, and then found you to give it back. If they didn't do anything with it they are fine. People need to realize that the internet is the modern wild west. You only trust strangers enough to do business with them. You can't expect strangers to immediately understand your way of doing things. Real law enforcement only gets involved if something big happens. Attackers are the modern bandits from the lowly script kiddie to the billy the kids running around. You hire your sheriff because he's the best shot around. Why are people saying that the sharpshooters of this day shouldn't become sherrifs just because of prior activities? Of course you're not going to hire the guy that shot up your joint, but what real reason do you have to not hire the guy that shot up other places? A good shots a good shot and if he's willing to come clean then hand him the soap. Yeah I believe we shouldn't be hiring script kiddies, but we shouldn't discriminate against where people honed their skills. Especially something like security where they had to have their skills down on a day to day basis where it really counts. As for people complaining about them not knowing how to secure things ethics, etc: well you have a very poor knowledge of the underground hackers psychology. I've spent my share of time observing the underground, talking amongst others out of curiosity. They have more ethics than most day to day people. The good ones, the ones you'd want to hire KNOW how to secure stuff. Why? Well the secure one is easy: they don't want to get pwned, and they don't want their targets to get pwned by other people. They have to know how to be defensive or they lose their trophies. The ones that don't learn eventually that need to start learning. The ethics claim may seem strange but consider this: this is a society of sorts where everyone works together to expose fradulant vendors so they don't get scammed, no legit person screws over their clients and clients don't screw over vendors because the only business license is your reputation. And its a well understood rule that is pounded into newbs that you don't fuck up your own workplace. They make it clear that its too risky and that it'd be the same as screwing over your clients. You may not trust these people, but that's because you don't understand what they value, how they build a trust amongst themselves and more importantly you don't know how to build trust with them. No wonder its surprising if your company gets pwned cause you don't remotely try to understand the ones really doing the damage. You don't talk to them, ask them questions, you don't share interesting knowledge with them. You are being an antithesis to everything they value and not bothering to see if you should be against some of those values. On Jan 13, 2012 12:04 PM, "Laurelai" <laurelai () oneechan org> wrote:
On 1/13/12 1:24 PM, Paul Schmehl wrote:--On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter <ben.kreuter () gmail com> wrote:On Fri, 13 Jan 2012 10:37:31 -0600 Paul Schmehl<pschmehl_lists () tx rr com> wrote:--On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter <ben.kreuter () gmail com> wrote:The law is not going to stop the really bad people from attacking your system, nor is it going to stop them from profiting from whatever access they gain; sending law enforcement after someone who reports problems to you accomplishes little and only discourages people who might try to help you.Assuming everyone's motives are as pure as the driven snow is a bit naive, don't you think?Are there lingering doubts about the motives of someone who is reporting a vulnerability to you? They could have just profited from their discovery and never bothered to tell you. In any case, what have you accomplished by sending the cops after *someone who is helping you*?Unless you're a complete fool, yes. You say you're helping me, but you broke in to my server. How do I know you didn't help yourself to a permanent back door? Again, it's naive to think that most people are motivated purely by a desire to help others, especially when they are actively intruding into other people's assets. YOU might say thank you, but I'll be taking the server offline, grabbing forensic images and rebuilding it long before I get around to sayingthankyou.Well just remember they could have *not* told you and helped themselves to a backdoor. If they wanted to door you they probably wouldn't have told you. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Rate Stratfor's Incident Response, (continued)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 13)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response J. von Balzac (Jan 13)
- Re: Rate Stratfor's Incident Response Michael Schmidt (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 13)
- Re: Rate Stratfor's Incident Response Gage Bystrom (Jan 13)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)