On Mon, 20 Sep 2004 14:57:13 -0400, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Think of this not so much as criminal vs. noncriminal but in warfare > terms. Security defenders have to design fortifications to keep out > attackers. > > If I am trying to build field fortifications and my forces have captured > one of the enemy's designers of attacks, I might very reasonably want to > pick his brain to help me get better defensive designs. > > That doesn't mean I will (or should) believe he has come over to my side > of the conflict, nor does it mean I would have him design any part of my > defenses, lest he build in weaknesses. Yet if I tell him of various defenses > and he tells me of attacks on them which I had not considered, I may find > value in his advice. What I have to validate for myself, even though I > distrust its source, still has some usefulness. > > The thing is, if I am fighting a war I can probably find people to guard this > guy and make sure he doesn't see anything but what I show him, and keep him > from escaping back to rejoin or inform his old friends. > > A company wanting to do this had better be more confident than most in its > ability to build internal barriers to information, and in its ability to > watch what of its sensitive information gets into the enemy or ex-enemy > hands, and what leaves them for where. > > They should remember: if the captured enemy designer should retain his old > loyalty and report their secrets to other enemies, the value of that company's > secrets will be lost. > > So how good is the internal security being practiced by the hiring firm? > Does this indicate, perhaps, some overconfidence? > > Glenn Everhart > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Harlan > Carvey > Sent: Monday, September 20, 2004 1:20 PM > To: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires... > > > > Does it not strike anyone that there is a > > disturbing trend in > > > malicious hackers (yes, yes, I know, they are not > > hackers if > > > they are malicious, so call em whatever you want) > > getting > > > hired to security firms, > > Regardless of the reason for hiring these individuals, > this fact should be noted by any organization subject > to legal or regulatory compliance with regards to > computer/information security. While the laws in the > US do not specifically stipulate that reputable firms > must be used when seeking compliance with vuln/risk > assessments, etc., one would hope that the > professional reputation of the assessing firm would be > considered, as well. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > ********************************************************************** > This transmission may contain information that is privileged, confidential and/or > exempt from disclosure under applicable law. If you are not the intended recipient, > you are hereby notified that any disclosure, copying, distribution, or use of the > information contained herein (including any reliance thereon) is STRICTLY > PROHIBITED. If you received this transmission in error, please immediately contact > the sender and destroy the material in its entirety, whether in electronic or hard > copy format. Thank you > ********************************************************************** > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Maybe they are just acknowledging that it is more profitable to "consult" rather than "penetrate and reveal". -- Charlie Heselton Network Security Engineer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
