Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Scandal: IT Security firm hires...

From: <Glenn_Everhart () bankone com>
Date: Mon, 20 Sep 2004 14:57:13 -0400
Think of this not so much as criminal vs. noncriminal but in warfare
terms. Security defenders have to design fortifications to keep out
attackers.

If I am trying to build field fortifications and my forces have captured
one of the enemy's designers of attacks, I might very reasonably want to
pick his brain to help me get better defensive designs.

That doesn't mean I will (or should) believe he has come over to my side
of the conflict, nor does it mean I would have him design any part of my
defenses, lest he build in weaknesses. Yet if I tell him of various defenses
and he tells me of attacks on them which I had not considered, I may find
value in his advice. What I have to validate for myself, even though I
distrust its source, still has some usefulness.

The thing is, if I am fighting a war I can probably find people to guard this
guy and make sure he doesn't see anything but what I show him, and keep him
from escaping back to rejoin or inform his old friends.

A company wanting to do this had better be more confident than most in its
ability to build internal barriers to information, and in its ability to
watch what of its sensitive information gets into the enemy or ex-enemy
hands, and what leaves them for where.

They should remember: if the captured enemy designer should retain his old
loyalty and report their secrets to other enemies, the value of that company's
secrets will be lost. 

So how good is the internal security being practiced by the hiring firm?
Does this indicate, perhaps, some overconfidence?

Glenn Everhart

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Harlan
Carvey
Sent: Monday, September 20, 2004 1:20 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Scandal: IT Security firm hires...



Does it not strike anyone that there is a

disturbing trend in 

malicious hackers (yes, yes, I know, they are not

hackers if 

they are malicious, so call em whatever you want)

getting 

hired to security firms, 


Regardless of the reason for hiring these individuals,
this fact should be noted by any organization subject
to legal or regulatory compliance with regards to
computer/information security.  While the laws in the
US do not specifically stipulate that reputable firms
must be used when seeking compliance with vuln/risk
assessments, etc., one would hope that the
professional reputation of the assessing firm would be
considered, as well.  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: