[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Rate Stratfor's Incident Response



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, 10 Jan 2012 21:39:07 -0800
Ian Hayes <cthulhucalling@xxxxxxxxx> wrote:

> On Tue, Jan 10, 2012 at 9:18 PM, Laurelai <laurelai@xxxxxxxxxxxx>
> wrote:
> > On 1/10/12 10:18 PM, Byron Sonne wrote:
> >>> Don't piss off a talented adolescent with computer skills.
> >> Amen! I love me some stylin' pwnage :)
> >>
> >> Whether they were skiddies or actual hackers, it's still amusing
> >> (and frightening to some) that companies who really should know
> >> better, in fact, don't.
> >>
> > And again, if companies hired these people, most of whom come from
> > disadvantaged backgrounds and are self taught they wouldn't have as
> > much a reason to be angry anymore. Most of them feel like they
> > don't have any real opportunities for a career and they are often
> > right.
> 
> [citation needed]
> 
> > Microsoft hired some kid who hacked their network, it is a safe bet
> > he isn't going to be causing any trouble anymore.
> 
> Are you proposing that we reward all such behavior with jobs? I've
> always wanted to be a firefighter. Forget resumes, job applications
> and interviews, I'm going to set people's houses on fire.

No, it is more like you see a house on fire, call 911, then clear the
road so that firefighters can get to the house.  You know, someone who
is helping the professionals do their job?

> By your
> logic, an arsonist is not only the best person to combat other
> arsonists, but due to his obviously unique insight into the nature of
> fire, simply must know how best to fight a fire as opposed to someone
> who went to school for years to learn the trade.

Unless you are going to give me a proof that no attack on my network
could be successful, you need people who can find their way through the
cracks to evaluate the efficacy of your security system.  If the people
you already hired to maintain your security are not able to identify
threats and design systems that are resilient to those threats, then
you need to hire someone else.  A security team will benefit from
having someone poke holes in their design.

> > Talking about the trust issue, who
> > would you trust more the person who has all the certs and experience
> > that told you your network was safe or the 14 year old who proved
> > him wrong?
> 
> This is asinine. WHY would I want to hire someone for a position of
> trust that just committed a crime, or at the very least acted in an
> unethical manner?

The problem is that we have criminalized too much here.  If some 14
year old comes to you and hands you supposedly secret documents, he is
behaving very ethically -- he is telling you that you have a
vulnerability, rather than simply trying to sell your secrets to a
competitor.  That sounds like a person who can be trusted to work for
you -- someone who could have easily betrayed you, but did not, and who
knew when and how to do the right thing.

> More than anything, that person has proven that
> while he *might* have the technical chops, he certainly lacks the
> ethics and decision making skills to operate in the grown-up world.

No, it means you have someone whose mind is not confined to the
structure that most adults' minds are confined to.  There is a scene
from the movie "Operation Takedown" that comes to mind here:

Cop: "Don't worry, all our radios use encryption."
Hacker:  "What do you think he'll do when he hears a bunch of encrypted
radio transmissions?"

People who go through years of schooling often have the same view of a
system, and often think about things the same way.  They learn a
particular model of the world, and like every other model there is a
point beyond which the real world diverges from the model.  It helps to
have someone who can point out where the model will break down, which
is either someone who is very intelligent or someone who thinks about
things differently.  A hacker who comes to you and explains that they
have broken your security system is going to fit into one of those
categories.

The people who are going to attack your system and then sell your
secrets on the black market are people who are not going to think in
the structured way that your engineers think.  They are going to do
things that your IT staff did not expect anyone to do.  They are going
to do things your IT staff did not even think about.  If the people in
your organization were not creative enough to do what the teenage
hacker did, then the teenage hacker has skills that are missing from
your team -- which can be restated as the teenager is someone you
should hire.

Even if you were only attacked by a script kiddie, you should at least
talk to them about a possible job.  If you are vulnerable to the common
exploits that script kiddies are using, then you probably need someone
in your organization who is familiar with script kiddie tools and
forums.  Relying on the police to track script kiddies down while your
own high-paid security staff fails to protect your system from known
exploits is a pretty bad approach to security.

- -- Ben

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


- -- 
Benjamin R Kreuter
UVA Computer Science
brk7bx@xxxxxxxxxxxx

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBCgAGBQJPDc2jAAoJEOV0+MnZK9ijPBcP/3vlUcJtu03wX9LkAk8e5zQW
pj9PgBdGOAf4ICLvO/tB240jAyUJ+nGUB79MJIPeCX9gGNtUF2+meqa9c8Vp1xrc
y13ehvtFcfHiq5UCuDmhnD8exdkSMexuf9EdNF9euD23ZkAzg071HCfiYXIxlqTe
WdwbhOY0Dfh7aXn6p7WxPeGbCPY6Yv8d7f/xmSMxjh1f3IYpsAfPIwTjbtkSdmv0
dSYLdpc49bacEMSNgdconemAMXicqG02TcBwIL/EYO3rJNX40fmEWgPjg1EGzSKm
pK5z9cHoos4sHJMOn5hniNnQ9ewZbMWnW6b8rVO5su35UYKQNr7ghZSB1AHIBNpG
YOTydofS42dZ1IqxReuHuTaIjDOfSdSPtTfLlTfDAEG/lAbtH1TkhYtD+3TXNPxS
k2tQk9xw1lB19E7Dd4ZRzPZc/mmOOT22Do7jYAHAC+zcFFApjqBNTLxaHALi1Ae7
IRGkS6hPnoY9oQskLy7JLfJXmipG6th+3CX3Seq7DbghSCkiWUzj1Zpxj2R2VyX7
ICtqC95tUXDnXcYcmjA9G2qW6qe2cxiewSzmlYo8D1x5xhKWiDZFZxqn9YTrt809
KlVDvypFabgpla2d0t+7o9zX6NKnX3L3YlES8LV1k+IQHp5Ra+oVBhEdjJ9YQ5pi
MXRTFg898J2GmZo1p9Se
=egzl
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/