lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Jan 2012 11:20:31 -0600
From: Laurelai <laurelai@...echan.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

On 1/12/12 11:12 AM, Valdis.Kletnieks@...edu wrote:
> On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:
>
>> The problem is that we have criminalized too much here.  If some 14
>> year old comes to you and hands you supposedly secret documents, he is
>> behaving very ethically -- he is telling you that you have a
>> vulnerability, rather than simply trying to sell your secrets to a
>> competitor.  That sounds like a person who can be trusted to work for
>> you -- someone who could have easily betrayed you, but did not, and who
>> knew when and how to do the right thing.
> No, the person I *want* to hire doesn't come to me with a secret document,
> he comes to me and says "There's a hole in this web page that will leak
> secret documents, but I didn't actually download one to fully verify it".

And if they do that they will get told "Well how do you know it will 
actually leak secret documents since you didn't verify that it actually 
leaks them, stop wasting our time" We have all seen companies ignore 
vulnerabilities because the company claimed it was not exploitable when 
it was. Right now the FBI is claiming that they knew about the Stratfor 
hack and had informed people that their personal data was compromised, 
but we know this isnt true because live credit cards from the data leak 
were actually used after it became public, so again who are you going to 
trust the people who have been proven over and over to lie to the public 
about the state of their security or the people showing the world they 
are liars?
>> The people who are going to attack your system and then sell your
>> secrets on the black market are people who are not going to think in
>> the structured way that your engineers think.  They are going to do
>> things that your IT staff did not expect anyone to do.  They are going
>> to do things your IT staff did not even think about.  If the people in
>> your organization were not creative enough to do what the teenage
>> hacker did, then the teenage hacker has skills that are missing from
>> your team -- which can be restated as the teenager is someone you
>> should hire.
> No, it can be restated as "you want to hire someone with a skillset similar
> to that teenager".
>
> Would you hire that teenager to take several tens of thousands of cash to the
> bank unescorted?  No?  Then why are you hiring them into a position where
> they'll have basically unescorted access to similar amounts of valuables?
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ