[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Rate Stratfor's Incident Response



On 1/12/12 11:12 AM, Valdis.Kletnieks@xxxxxx wrote:
On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:

The problem is that we have criminalized too much here.  If some 14
year old comes to you and hands you supposedly secret documents, he is
behaving very ethically -- he is telling you that you have a
vulnerability, rather than simply trying to sell your secrets to a
competitor.  That sounds like a person who can be trusted to work for
you -- someone who could have easily betrayed you, but did not, and who
knew when and how to do the right thing.
No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says "There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it".

And if they do that they will get told "Well how do you know it will actually leak secret documents since you didn't verify that it actually leaks them, stop wasting our time" We have all seen companies ignore vulnerabilities because the company claimed it was not exploitable when it was. Right now the FBI is claiming that they knew about the Stratfor hack and had informed people that their personal data was compromised, but we know this isnt true because live credit cards from the data leak were actually used after it became public, so again who are you going to trust the people who have been proven over and over to lie to the public about the state of their security or the people showing the world they are liars?
The people who are going to attack your system and then sell your
secrets on the black market are people who are not going to think in
the structured way that your engineers think.  They are going to do
things that your IT staff did not expect anyone to do.  They are going
to do things your IT staff did not even think about.  If the people in
your organization were not creative enough to do what the teenage
hacker did, then the teenage hacker has skills that are missing from
your team -- which can be restated as the teenager is someone you
should hire.
No, it can be restated as "you want to hire someone with a skillset similar
to that teenager".

Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted?  No?  Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/