Re: Rate Stratfor's Incident Response

[Valdis.Kletnieks () vt edu]

On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:

> The problem is that we have criminalized too much here.  If some 14
> year old comes to you and hands you supposedly secret documents, he is
> behaving very ethically -- he is telling you that you have a
> vulnerability, rather than simply trying to sell your secrets to a
> competitor.  That sounds like a person who can be trusted to work for
> you -- someone who could have easily betrayed you, but did not, and who
> knew when and how to do the right thing.

No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says "There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it".

> The people who are going to attack your system and then sell your
> secrets on the black market are people who are not going to think in
> the structured way that your engineers think.  They are going to do
> things that your IT staff did not expect anyone to do.  They are going
> to do things your IT staff did not even think about.  If the people in
> your organization were not creative enough to do what the teenage
> hacker did, then the teenage hacker has skills that are missing from
> your team -- which can be restated as the teenager is someone you
> should hire.

No, it can be restated as "you want to hire someone with a skillset similar
to that teenager".

Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted?  No?  Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/