mailing list archives
Re: Rate Stratfor's Incident Response
From: Giles Coochey <giles () coochey net>
Date: Thu, 12 Jan 2012 18:29:42 +0000
On 12/01/2012 18:12, Laurelai wrote:
*Laurelai* I know its a strange spelling but it is spelled correctly
in my email address, and its than not that. Committing arson is not
comparable to a digital intrusion, no lives are lost and any
enterprise system worth speaking of has backup systems so very little
real damage is done,
Even if they do have backups (which they might not), does not mean that
your intrusion isn't going to cost them money. You come across as the
type of person who could justify marines pissing over afghans by saying,
"hey - what the hell, the afghans were dead!"
You cannot cite that no lives are lost in a digital intrusion, if you
were to take down the traffic control systems of a city and there were
accidents, then I'm afraid, you're plain wrong. Particularly if your
some hacker unacqainted with a companies internal digital infrastructure
- you're more like a bull in a chinashop.
the most damage that occurs is to their reputation, it injures peoples
pride and causes humiliation. The people being humiliated have created
reputations as experts in infosec, reputations that as its being shown
they don't deserve.
Your attitude appears to show to me that you seem to be unconcerned
about humiliating people, have no concern to what actions a humiliated
person might commit. There is anger in your tone of script - I would
have concerns about hiring someone who thinks in this way, it comes
across to me that they would be overly confrontational and destructive
to my teams way of working.
Lets be honest here if it wasn't anon/antisec doing it someone else
would have eventually (perhaps they already were) and they probably
wouldn't have made the incident public, they would have just quietly
stolen user data and credit card information and sold them off to the
highest bidder for as long as they possibly could. Or used stolen
credentials to gain access to even more data. You seem to be missing
the point that anon/antisec is using methods for the most part that
are simple attacks that any company has absolutely no excuse to be
vulnerable to. This is more like owning a large store and leaving the
doors unlocked at night and finding that some kids walked in and put
all of your stock outside of the store and pinned your internal
finance documents that show you have been embezzling to the windows,
plus they drew penises on the pictures in your office just to pour
salt on the wound. In this case you have nobody to blame but yourself.
The store manager is partly to blame, but if CCTV shows the kids
stealing stuff then they will still be convicted of the crime and the
excuse they might give that the 'door was unlocked' would not get them
off the charge of theft and vandalism (although they might not be guilty
of 'breaking and entering', they might be considered for 'trespassing'.
My suggestion that they should hire these kids was meant to imply that
as bad as they are they probably are more ethical than the people they
are attacking since they aren't storing all sorts of sensitive user
data in plain text and telling people its all safe.
Hell NO! Wouldn't trust anyone who broke into my company like that. If
they contacted me I'd be straight onto law enforcement to report them
for trying to blackmail me.
Description: S/MIME Cryptographic Signature
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/