| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Glenn_Everhart at bankone.com (Glenn_Everhart@...kone.com) Subject: Scandal: IT Security firm hires... Think of this not so much as criminal vs. noncriminal but in warfare terms. Security defenders have to design fortifications to keep out attackers. If I am trying to build field fortifications and my forces have captured one of the enemy's designers of attacks, I might very reasonably want to pick his brain to help me get better defensive designs. That doesn't mean I will (or should) believe he has come over to my side of the conflict, nor does it mean I would have him design any part of my defenses, lest he build in weaknesses. Yet if I tell him of various defenses and he tells me of attacks on them which I had not considered, I may find value in his advice. What I have to validate for myself, even though I distrust its source, still has some usefulness. The thing is, if I am fighting a war I can probably find people to guard this guy and make sure he doesn't see anything but what I show him, and keep him from escaping back to rejoin or inform his old friends. A company wanting to do this had better be more confident than most in its ability to build internal barriers to information, and in its ability to watch what of its sensitive information gets into the enemy or ex-enemy hands, and what leaves them for where. They should remember: if the captured enemy designer should retain his old loyalty and report their secrets to other enemies, the value of that company's secrets will be lost. So how good is the internal security being practiced by the hiring firm? Does this indicate, perhaps, some overconfidence? Glenn Everhart -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Harlan Carvey Sent: Monday, September 20, 2004 1:20 PM To: full-disclosure@...ts.netsys.com Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires... > > Does it not strike anyone that there is a > disturbing trend in > > malicious hackers (yes, yes, I know, they are not > hackers if > > they are malicious, so call em whatever you want) > getting > > hired to security firms, Regardless of the reason for hiring these individuals, this fact should be noted by any organization subject to legal or regulatory compliance with regards to computer/information security. While the laws in the US do not specifically stipulate that reputable firms must be used when seeking compliance with vuln/risk assessments, etc., one would hope that the professional reputation of the assessing firm would be considered, as well. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
Powered by blists - more mailing lists