Re: Rate Stratfor's Incident Response

[Giles Coochey <giles () coochey net>]

On 12/01/2012 18:12, Laurelai wrote:
> *Laurelai* I know its a strange spelling but it is spelled correctly 
> in my email address, and its than not that. Committing arson is not 
> comparable to a digital intrusion, no lives are lost and any 
> enterprise system worth speaking of has backup systems so very little 
> real damage is done, 

Even if they do have backups (which they might not), does not mean that 
your intrusion isn't going to cost them money. You come across as the 
type of person who could justify marines pissing over afghans by saying, 
"hey - what the hell, the afghans were dead!"
You cannot cite that no lives are lost in a digital intrusion, if you 
were to take down the traffic control systems of a city and there were 
accidents, then I'm afraid, you're plain wrong. Particularly if your 
some hacker unacqainted with a companies internal digital infrastructure 
- you're more like a bull in a chinashop.

> the most damage that occurs is to their reputation, it injures peoples 
> pride and causes humiliation. The people being humiliated have created 
> reputations as experts in infosec, reputations that as its being shown 
> they don't deserve. 

Your attitude appears to show to me that you seem to be unconcerned 
about humiliating people, have no concern to what actions a humiliated 
person might commit. There is anger in your tone of script - I would 
have concerns about hiring someone who thinks in this way, it comes 
across to me that they would be overly confrontational and destructive 
to my teams way of working.

> Lets be honest here if it wasn't anon/antisec doing it someone else 
> would have eventually (perhaps they already were) and they probably 
> wouldn't have made the incident public, they would have just quietly 
> stolen user data and credit card information and sold them off to the 
> highest bidder for as long as they possibly could. Or used stolen 
> credentials to gain access to even more data. You seem to be missing 
> the point that anon/antisec is using methods for the most part that 
> are simple attacks that any company has absolutely no excuse to be 
> vulnerable to. This is more like owning a large store and leaving the 
> doors unlocked at night and finding that some kids walked in and put 
> all of your stock outside of the store and pinned your internal 
> finance documents that show you have been embezzling to the windows, 
> plus they drew penises on the pictures in your office just to pour 
> salt on the wound. In this case you have nobody to blame but yourself. 

The store manager is partly to blame, but if CCTV shows the kids 
stealing stuff then they will still be convicted of the crime and the 
excuse they might give that the 'door was unlocked' would not get them 
off the charge of theft and vandalism (although they might not be guilty 
of 'breaking and entering', they might be considered for 'trespassing'.

> My suggestion that they should hire these kids was meant to imply that 
> as bad as they are they probably are more ethical than the people they 
> are attacking since they aren't storing all sorts of sensitive user 
> data in plain text and telling people its all safe.

Hell NO! Wouldn't trust anyone who broke into my company like that. If 
they contacted me I'd be straight onto law enforcement to report them 
for trying to blackmail me.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/