lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Jan 2012 14:03:36 -0600
From: Laurelai <laurelai@...echan.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

On 1/13/12 1:24 PM, Paul Schmehl wrote:
> --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter
> <ben.kreuter@...il.com>  wrote:
>
>> On Fri, 13 Jan 2012 10:37:31 -0600
>> Paul Schmehl<pschmehl_lists@...rr.com>  wrote:
>>
>>> --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter
>>> <ben.kreuter@...il.com>  wrote:
>>>
>>>> The law is not going to stop the really bad people
>>>> from attacking your system, nor is it going to stop them from
>>>> profiting from whatever access they gain; sending law enforcement
>>>> after someone who reports problems to you accomplishes little and
>>>> only discourages people who might try to help you.
>>>>
>>> Assuming everyone's motives are as pure as the driven snow is a bit
>>> naive, don't you think?
>> Are there lingering doubts about the motives of someone who is
>> reporting a vulnerability to you?  They could have just profited from
>> their discovery and never bothered to tell you.  In any case, what have
>> you accomplished by sending the cops after *someone who is helping you*?
>>
> Unless you're a complete fool, yes.  You say you're helping me, but you
> broke in to my server.  How do I know you didn't help yourself to a
> permanent back door?
>
> Again, it's naive to think that most people are motivated purely by a
> desire to help others, especially when they are actively intruding into
> other people's assets.
>
> YOU might say thank you, but I'll be taking the server offline, grabbing
> forensic images and rebuilding it long before I get around to saying thank
> you.
>
Well just remember they could have *not* told you and helped themselves 
to a backdoor. If they wanted to door you they probably wouldn't have 
told you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ