Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Laurelai <laurelai () oneechan org>
Date: Thu, 12 Jan 2012 12:12:40 -0600
On 1/12/12 11:21 AM, Ian Hayes wrote:
On Wed, Jan 11, 2012 at 9:57 AM, Benjamin Kreuter<ben.kreuter () gmail com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 10 Jan 2012 21:39:07 -0800 Ian Hayes<cthulhucalling () gmail com> wrote:On Tue, Jan 10, 2012 at 9:18 PM, Laurelai<laurelai () oneechan org> wrote:On 1/10/12 10:18 PM, Byron Sonne wrote:Don't piss off a talented adolescent with computer skills.Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't.And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right.[citation needed]Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore.Are you proposing that we reward all such behavior with jobs? I've always wanted to be a firefighter. Forget resumes, job applications and interviews, I'm going to set people's houses on fire.No, it is more like you see a house on fire, call 911, then clear the road so that firefighters can get to the house. You know, someone who is helping the professionals do their job?Yes. But by Larueli's logic, since I know how to use a Bic lighter, I'm infinitely more qualified that a trained firefighter. By setting fire to other people's houses, I'm announcing my intention to join their ranks, and deserve a job at the nearest station. Nevermind, that 20 people died and hundreds of thousands of dollars of property damage- if the firemen were true professionals, they would have made the houses completely fireproof a long time ago, or at the very least responded and put out the fire before any real damage was done. Plus, I have a Zippo, which makes me uber-leet.
*Laurelai* I know its a strange spelling but it is spelled correctly in my email address, and its than not that. Committing arson is not comparable to a digital intrusion, no lives are lost and any enterprise system worth speaking of has backup systems so very little real damage is done, the most damage that occurs is to their reputation, it injures peoples pride and causes humiliation. The people being humiliated have created reputations as experts in infosec, reputations that as its being shown they don't deserve. Lets be honest here if it wasn't anon/antisec doing it someone else would have eventually (perhaps they already were) and they probably wouldn't have made the incident public, they would have just quietly stolen user data and credit card information and sold them off to the highest bidder for as long as they possibly could. Or used stolen credentials to gain access to even more data. You seem to be missing the point that anon/antisec is using methods for the most part that are simple attacks that any company has absolutely no excuse to be vulnerable to. This is more like owning a large store and leaving the doors unlocked at night and finding that some kids walked in and put all of your stock outside of the store and pinned your internal finance documents that show you have been embezzling to the windows, plus they drew penises on the pictures in your office just to pour salt on the wound. In this case you have nobody to blame but yourself. My suggestion that they should hire these kids was meant to imply that as bad as they are they probably are more ethical than the people they are attacking since they aren't storing all sorts of sensitive user data in plain text and telling people its all safe.
By your logic, an arsonist is not only the best person to combat other arsonists, but due to his obviously unique insight into the nature of fire, simply must know how best to fight a fire as opposed to someone who went to school for years to learn the trade.Unless you are going to give me a proof that no attack on my network could be successful, you need people who can find their way through the cracks to evaluate the efficacy of your security system. If the people you already hired to maintain your security are not able to identify threats and design systems that are resilient to those threats, then you need to hire someone else. A security team will benefit from having someone poke holes in their design.Anyone who says "you are secure, you are hacker-proof" should be shown the door. But this is reality. Companies don't WANT to know that the Emperor is naked. All they want is to fill in the checkbox that says that they did their due diligence, so they pass their annual audit. If holes are found, now they have to spend time, money and effort fixing them, or they lose their insurance/merchant status/some kind of accreditation. That's why most organizations are happy with some guy who charges $500/hr to run a Nessus scan and walk out the door. He had a goatee, and ate all of our donuts, so he must have been a real pro! Once these businesses start asking for real security professionals and real assessments, these "white hat" versions of script kiddies will get weeded out.
We can at least agree on that much. However the only way to show these companies that the emperor has no clothes is to show them that the emperor has no clothes.
Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong?This is asinine. WHY would I want to hire someone for a position of trust that just committed a crime, or at the very least acted in an unethical manner?The problem is that we have criminalized too much here. If some 14 year old comes to you and hands you supposedly secret documents, he is behaving very ethically -- he is telling you that you have a vulnerability, rather than simply trying to sell your secrets to a competitor. That sounds like a person who can be trusted to work for you -- someone who could have easily betrayed you, but did not, and who knew when and how to do the right thing.One right does not erase a wrong. Strip away the "robbed from the rich, gave to the poor" mythos, Robin Hood was still a thief, robber and murderer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Dan Ballance (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Ian Hayes (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Byron Sonne (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Jeffrey Walton (Jan 12)
- Re: Rate Stratfor's Incident Response BMF (Jan 12)
- Re: Rate Stratfor's Incident Response Thor (Hammer of God) (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 13)