On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:
The problem is that we have criminalized too much here. If some 14
year old comes to you and hands you supposedly secret documents, he is
behaving very ethically -- he is telling you that you have a
vulnerability, rather than simply trying to sell your secrets to a
competitor. That sounds like a person who can be trusted to work for
you -- someone who could have easily betrayed you, but did not, and who
knew when and how to do the right thing.
No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says "There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it".
The people who are going to attack your system and then sell your
secrets on the black market are people who are not going to think in
the structured way that your engineers think. They are going to do
things that your IT staff did not expect anyone to do. They are going
to do things your IT staff did not even think about. If the people in
your organization were not creative enough to do what the teenage
hacker did, then the teenage hacker has skills that are missing from
your team -- which can be restated as the teenager is someone you
should hire.
No, it can be restated as "you want to hire someone with a skillset similar
to that teenager".
Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted? No? Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/