[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Scandal: IT Security firm hires...

On Mon, 20 Sep 2004 14:57:13 -0400, glenn_everhart@xxxxxxxxxxx
<glenn_everhart@xxxxxxxxxxx> wrote:
> Think of this not so much as criminal vs. noncriminal but in warfare
> terms. Security defenders have to design fortifications to keep out
> attackers.
> 
> If I am trying to build field fortifications and my forces have captured
> one of the enemy's designers of attacks, I might very reasonably want to
> pick his brain to help me get better defensive designs.
> 
> That doesn't mean I will (or should) believe he has come over to my side
> of the conflict, nor does it mean I would have him design any part of my
> defenses, lest he build in weaknesses. Yet if I tell him of various defenses
> and he tells me of attacks on them which I had not considered, I may find
> value in his advice. What I have to validate for myself, even though I
> distrust its source, still has some usefulness.
> 
> The thing is, if I am fighting a war I can probably find people to guard this
> guy and make sure he doesn't see anything but what I show him, and keep him
> from escaping back to rejoin or inform his old friends.
> 
> A company wanting to do this had better be more confident than most in its
> ability to build internal barriers to information, and in its ability to
> watch what of its sensitive information gets into the enemy or ex-enemy
> hands, and what leaves them for where.
> 
> They should remember: if the captured enemy designer should retain his old
> loyalty and report their secrets to other enemies, the value of that company's
> secrets will be lost.
> 
> So how good is the internal security being practiced by the hiring firm?
> Does this indicate, perhaps, some overconfidence?
> 
> Glenn Everhart
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx]On Behalf Of Harlan
> Carvey
> Sent: Monday, September 20, 2004 1:20 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires...
> 
> > > Does it not strike anyone that there is a
> > disturbing trend in
> > > malicious hackers (yes, yes, I know, they are not
> > hackers if
> > > they are malicious, so call em whatever you want)
> > getting
> > > hired to security firms,
> 
> Regardless of the reason for hiring these individuals,
> this fact should be noted by any organization subject
> to legal or regulatory compliance with regards to
> computer/information security.  While the laws in the
> US do not specifically stipulate that reputable firms
> must be used when seeking compliance with vuln/risk
> assessments, etc., one would hope that the
> professional reputation of the assessing firm would be
> considered, as well.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> **********************************************************************
> This transmission may contain information that is privileged, confidential 
> and/or exempt from disclosure under applicable law. If you are not the 
> intended recipient, you are hereby notified that any disclosure, copying, 
> distribution, or use of the information contained herein (including any 
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission 
> in error, please immediately contact the sender and destroy the material in 
> its entirety, whether in electronic or hard copy format. Thank you
> **********************************************************************
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Maybe they are just acknowledging that it is more profitable to
"consult" rather than "penetrate and reveal".

-- 
Charlie Heselton
Network Security Engineer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html