RE: Scandal: IT Security firm hires...

[ktabic <lists () ktabic co uk>]

On Mon, 2004-09-20 at 14:57 -0400, Glenn_Everhart () bankone com wrote:
> Think of this not so much as criminal vs. noncriminal but in warfare
> terms. Security defenders have to design fortifications to keep out
> attackers.

If it is warfare, it isn't warfare in the sense you are putting forward.
There are no pitched battles, one side isn't anything like an army. The
closest to two armys fighting it out in a modern traditional sense is
asynchronus warfare. Or guerilla warfare.
But it's closest is more of a police action.
> If I am trying to build field fortifications and my forces have captured
> one of the enemy's designers of attacks, I might very reasonably want to
> pick his brain to help me get better defensive designs.

This really is where this anology falls down. After all, they have now
managed to 'capture' him after his attacks. Which means that they can
study the results with out him (especially in is case, since they can,
if nessercary perform their own attacks with sasser in a sandbox as well
as deconstructing sasser at thier leisure).
Also they haven't managed to capture the attack designer. He's still at
large, working for eEye. That seriously reduces the possible benefits of
making use of his knowledge.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html