lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <EA7C77F97CC73F4AAC856A4595DF34E20B8FA164@swilnts801.wil.fusa.com>
From: Glenn_Everhart at bankone.com (Glenn_Everhart@...kone.com)
Subject: Scandal: IT Security firm hires...

Think of this not so much as criminal vs. noncriminal but in warfare
terms. Security defenders have to design fortifications to keep out
attackers.

If I am trying to build field fortifications and my forces have captured
one of the enemy's designers of attacks, I might very reasonably want to
pick his brain to help me get better defensive designs.

That doesn't mean I will (or should) believe he has come over to my side
of the conflict, nor does it mean I would have him design any part of my
defenses, lest he build in weaknesses. Yet if I tell him of various defenses
and he tells me of attacks on them which I had not considered, I may find
value in his advice. What I have to validate for myself, even though I
distrust its source, still has some usefulness.

The thing is, if I am fighting a war I can probably find people to guard this
guy and make sure he doesn't see anything but what I show him, and keep him
from escaping back to rejoin or inform his old friends.

A company wanting to do this had better be more confident than most in its
ability to build internal barriers to information, and in its ability to
watch what of its sensitive information gets into the enemy or ex-enemy
hands, and what leaves them for where.

They should remember: if the captured enemy designer should retain his old
loyalty and report their secrets to other enemies, the value of that company's
secrets will be lost. 

So how good is the internal security being practiced by the hiring firm?
Does this indicate, perhaps, some overconfidence?

Glenn Everhart

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Harlan
Carvey
Sent: Monday, September 20, 2004 1:20 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires...


> > Does it not strike anyone that there is a
> disturbing trend in 
> > malicious hackers (yes, yes, I know, they are not
> hackers if 
> > they are malicious, so call em whatever you want)
> getting 
> > hired to security firms, 

Regardless of the reason for hiring these individuals,
this fact should be noted by any organization subject
to legal or regulatory compliance with regards to
computer/information security.  While the laws in the
US do not specifically stipulate that reputable firms
must be used when seeking compliance with vuln/risk
assessments, etc., one would hope that the
professional reputation of the assessing firm would be
considered, as well.  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ