On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said: > The problem is that we have criminalized too much here. If some 14 > year old comes to you and hands you supposedly secret documents, he is > behaving very ethically -- he is telling you that you have a > vulnerability, rather than simply trying to sell your secrets to a > competitor. That sounds like a person who can be trusted to work for > you -- someone who could have easily betrayed you, but did not, and who > knew when and how to do the right thing. No, the person I *want* to hire doesn't come to me with a secret document, he comes to me and says "There's a hole in this web page that will leak secret documents, but I didn't actually download one to fully verify it". > The people who are going to attack your system and then sell your > secrets on the black market are people who are not going to think in > the structured way that your engineers think. They are going to do > things that your IT staff did not expect anyone to do. They are going > to do things your IT staff did not even think about. If the people in > your organization were not creative enough to do what the teenage > hacker did, then the teenage hacker has skills that are missing from > your team -- which can be restated as the teenager is someone you > should hire. No, it can be restated as "you want to hire someone with a skillset similar to that teenager". Would you hire that teenager to take several tens of thousands of cash to the bank unescorted? No? Then why are you hiring them into a position where they'll have basically unescorted access to similar amounts of valuables?
Attachment:
pgpLF1Zv_6Qb9.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/