lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <893e7f9104092101501abddbed@mail.gmail.com>
From: charles.heselton at gmail.com (Charles Heselton)
Subject: Scandal: IT Security firm hires...

On Mon, 20 Sep 2004 14:57:13 -0400, glenn_everhart@...kone.com
<glenn_everhart@...kone.com> wrote:
> Think of this not so much as criminal vs. noncriminal but in warfare
> terms. Security defenders have to design fortifications to keep out
> attackers.
> 
> If I am trying to build field fortifications and my forces have captured
> one of the enemy's designers of attacks, I might very reasonably want to
> pick his brain to help me get better defensive designs.
> 
> That doesn't mean I will (or should) believe he has come over to my side
> of the conflict, nor does it mean I would have him design any part of my
> defenses, lest he build in weaknesses. Yet if I tell him of various defenses
> and he tells me of attacks on them which I had not considered, I may find
> value in his advice. What I have to validate for myself, even though I
> distrust its source, still has some usefulness.
> 
> The thing is, if I am fighting a war I can probably find people to guard this
> guy and make sure he doesn't see anything but what I show him, and keep him
> from escaping back to rejoin or inform his old friends.
> 
> A company wanting to do this had better be more confident than most in its
> ability to build internal barriers to information, and in its ability to
> watch what of its sensitive information gets into the enemy or ex-enemy
> hands, and what leaves them for where.
> 
> They should remember: if the captured enemy designer should retain his old
> loyalty and report their secrets to other enemies, the value of that company's
> secrets will be lost.
> 
> So how good is the internal security being practiced by the hiring firm?
> Does this indicate, perhaps, some overconfidence?
> 
> Glenn Everhart
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Harlan
> Carvey
> Sent: Monday, September 20, 2004 1:20 PM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires...
> 
> > > Does it not strike anyone that there is a
> > disturbing trend in
> > > malicious hackers (yes, yes, I know, they are not
> > hackers if
> > > they are malicious, so call em whatever you want)
> > getting
> > > hired to security firms,
> 
> Regardless of the reason for hiring these individuals,
> this fact should be noted by any organization subject
> to legal or regulatory compliance with regards to
> computer/information security.  While the laws in the
> US do not specifically stipulate that reputable firms
> must be used when seeking compliance with vuln/risk
> assessments, etc., one would hope that the
> professional reputation of the assessing firm would be
> considered, as well.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> **********************************************************************
> This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
> **********************************************************************
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Maybe they are just acknowledging that it is more profitable to
"consult" rather than "penetrate and reveal".

-- 
Charlie Heselton
Network Security Engineer


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ