Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Rate Stratfor's Incident Response
From: Giles Coochey <giles () coochey net>
Date: Thu, 12 Jan 2012 18:29:42 +0000

On 12/01/2012 18:12, Laurelai wrote:
*Laurelai* I know its a strange spelling but it is spelled correctly in my email address, and its than not that. Committing arson is not comparable to a digital intrusion, no lives are lost and any enterprise system worth speaking of has backup systems so very little real damage is done,

Even if they do have backups (which they might not), does not mean that your intrusion isn't going to cost them money. You come across as the type of person who could justify marines pissing over afghans by saying, "hey - what the hell, the afghans were dead!" You cannot cite that no lives are lost in a digital intrusion, if you were to take down the traffic control systems of a city and there were accidents, then I'm afraid, you're plain wrong. Particularly if your some hacker unacqainted with a companies internal digital infrastructure - you're more like a bull in a chinashop.

the most damage that occurs is to their reputation, it injures peoples pride and causes humiliation. The people being humiliated have created reputations as experts in infosec, reputations that as its being shown they don't deserve.

Your attitude appears to show to me that you seem to be unconcerned about humiliating people, have no concern to what actions a humiliated person might commit. There is anger in your tone of script - I would have concerns about hiring someone who thinks in this way, it comes across to me that they would be overly confrontational and destructive to my teams way of working.

Lets be honest here if it wasn't anon/antisec doing it someone else would have eventually (perhaps they already were) and they probably wouldn't have made the incident public, they would have just quietly stolen user data and credit card information and sold them off to the highest bidder for as long as they possibly could. Or used stolen credentials to gain access to even more data. You seem to be missing the point that anon/antisec is using methods for the most part that are simple attacks that any company has absolutely no excuse to be vulnerable to. This is more like owning a large store and leaving the doors unlocked at night and finding that some kids walked in and put all of your stock outside of the store and pinned your internal finance documents that show you have been embezzling to the windows, plus they drew penises on the pictures in your office just to pour salt on the wound. In this case you have nobody to blame but yourself.

The store manager is partly to blame, but if CCTV shows the kids stealing stuff then they will still be convicted of the crime and the excuse they might give that the 'door was unlocked' would not get them off the charge of theft and vandalism (although they might not be guilty of 'breaking and entering', they might be considered for 'trespassing'.

My suggestion that they should hire these kids was meant to imply that as bad as they are they probably are more ethical than the people they are attacking since they aren't storing all sorts of sensitive user data in plain text and telling people its all safe.

Hell NO! Wouldn't trust anyone who broke into my company like that. If they contacted me I'd be straight onto law enforcement to report them for trying to blackmail me.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]