lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Jan 2012 12:12:40 -0500
From: Valdis.Kletnieks@...edu
To: Benjamin Kreuter <ben.kreuter@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:

> The problem is that we have criminalized too much here.  If some 14
> year old comes to you and hands you supposedly secret documents, he is
> behaving very ethically -- he is telling you that you have a
> vulnerability, rather than simply trying to sell your secrets to a
> competitor.  That sounds like a person who can be trusted to work for
> you -- someone who could have easily betrayed you, but did not, and who
> knew when and how to do the right thing.

No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says "There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it".

> The people who are going to attack your system and then sell your
> secrets on the black market are people who are not going to think in
> the structured way that your engineers think.  They are going to do
> things that your IT staff did not expect anyone to do.  They are going
> to do things your IT staff did not even think about.  If the people in
> your organization were not creative enough to do what the teenage
> hacker did, then the teenage hacker has skills that are missing from
> your team -- which can be restated as the teenager is someone you
> should hire.

No, it can be restated as "you want to hire someone with a skillset similar
to that teenager".

Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted?  No?  Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ