| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Jan 2008 23:17:32 -0800 (PST)
From: secreview <secreview@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Professional IT Security Providers - Exposed]
QuietMove ( F + )
Our first QuietMove review can be found here.QuietMove, located at
http://www.quietmove.com is a Professional IT Security Services company
that was founded by Adam Muntner, Jeffrey Rassas and James G. (Jim)
Garvey, Jr. We’ve already performed one review of QuietMove but Adam
Munter and his team didn’t like the review. As a result, we’ve gone
back and revisited our data and are producing this second, hopefully
more accurate review.Our first point of criticism is still the
QuietMove web-site. Their services are poorly defined, and even
somewhat contradictory. For example, under their Penetration Testing
section they nearly bash the use of Automated tools. Shortly thereafter
they go on to say that they offer services for nearly the same cost as
“cookie-cutter” services.Well, we still have a problem with that. The
overhead cost of using quality talent is always going to be far greater
than the fees charged by vendors that sell automated scanning software.
Any time someone tells us that they can offer “expert driven” services
at the same price points or even nearly the same as a “cookie cutter”
service, we say bullshit.Taking it a step further, we still stick by
our previous opinion that the QuietMove website doesn’t have much to
offer prospective customers in the way of useful information. The
services shown are very poorly defined; the grammar is still horrible,
and frankly the website is incomplete. Want to see what we mean, click
on their “Social Engineering” tab under their service offerings; you’ll
notice that there is no description. We hope that their website does
not reflect the quality of their services.When Adam Muntner read our
previous post where we commented on the QuietMove Website he responded
in a reactive, emotional, and unprofessional manner. You can read his
response to our first post here, insults and all. Unfortunately for
Adam, his unprofessional attitude hurt QuietMove during this second
review.Regardless, Adam did react to our website comments, and his
reaction was as follows, verbatim:“Most of our clients are referred by
others who are very satisfied with the work we perform. Not by the
website. It doesn't get a lot of attention - were small but growing and
focused on serving our clients. I know basic HTML seems like the
pinnacle of achievement to you, but we aren't in the business of making
pretty web pages. We discuss our methodology with our clients-we don't
post it on the web. I know you were hoping to learn nimething. Hacking
for dummies might be more your speed, after you perfect your Cunt and
Paste skills.”During this second round of review, we were able to
locate more information about Adam. We found several posts that Adam
made to different mailing lists about FreeBSD, OpenBSD, Systems
Administration, etc. We also found a rather nice PowerPoint
presentation that Adam created that clearly defined specific security
services. So we know that Adam is not an idiot, but we don’t know if
he’s actually a security guru. We’re also wondering why Adam doesn’t
create the same quality content for his QuietMove website as he did for
his presentation?In tandem with Adam’s response to our initial review
of QuietMove, Adam also had other friends and associates respond. One
of those people was Andre Gironda who had a lot of great things to say
about QuietMove, but also made the unfortunate mistake of tainting his
credibility as a professional by directly attacking other vendors.Andre
Gironda asked us who we are in one of his emails. He also indirectly
accused us of exacting vengeance on QuietMove by performing a review.
While we’ve never been accused of this before by any of our other
review subjects, we feel that we should state for the record that this
is not some sort of vengeance play.Andre Gironda also said that he can
vouch for Adam’s 14 years of experience “and then some”. Apparently
when Andre met Adam of QuietMove, Adam was working as a Unix Security
Administrator for Unphamiliar. Territories (UPT), “a vulnerability
research BBS that ran from 1989 – 1996. Also according to Andre Gironda
“. It was a prominent place for information about vulnerability
research. Many held it in higher regard than Phrack magazine or any
leading website/magazine during that time period.”Sorry Andre, but we
don’t agree with your statement about UPT. Even more importantly, we’re
not sure how Adam’s experience as a Unix Security administrator (aka
systems admin) will help him offer professional IT Security Services.
Adam needs to be able to protect his clients from real world hackers,
not from failed tape backups and disk crashes.Andre went on to say that
many “small businesses such as QuietMove have a hard enough time
staying alive in this industry.” He said “I suggest you pick on someone
yourown size even if you have a legitimate problem with QuietMove or
Adam.” Our response is that we have no problem with Adam or QuietMove.
We found QuietMove by doing a google search for Penetration Testing.In
a Different email Andre lost all credibility with us because he decided
to directly attack other companies that we’ve reviewed that received
higher grades. If you compare the score cards between QuietMove and the
other company that Andre bashes, you’ll see why they got the good
grade. Anyway, here’s what Andre had to say (we’ll comment
later):“Look, you rated Denim Group as A-. You must either work there -
orknow the guys. Dan Cornell is a moron compared to Adam Muntner -
andhis code is certainly worse (e.g. Sprajax).Adam and team know Burp
Suite, use manual web application testing - inaddition to traditional
dynamic and static analysis.I have seen Adam and crew using Fortify
Software's SCA and Tracertools. I have seen them using Hailstorm ARC
and modifying theJavascript included in the SmartAttack library. I
would call this abest-of-breed security testing methodology.I have
worked for many small companies myself who do not use ANYautomated
testing, including both open-source and commercial tools. Ithink this
is stupid... and spent most of my time writing `for' loopsin shell just
to get around their limitation on "not writing scriptsto automate
things".I have also worked for small companies that "only" use
scriptinglanguages, or only use "the best" scripting language (usually
Ruby,Python, or Perl) and write all their own automated tools. This
isalso stupid -- especially when existing toolsets have lots of
greatcapability -- it's like re-inventing the wheel.Of course there are
places that "only use" commercial automated tools,but I haven't
actually met one yet. When I do -- I'll go ahead andpost an obnoxious
review about them. More people will read mine thananything you do --
and with my name on it -- they are certainly boundto take it a lot more
seriously.”Andre lost all credibility with our team when he insulted
the Denim Group. We contacted the Denim Group and spoke directly with
one of their founders when we did their review. Not only were we very
impressed with them, but they provided us with great detail about their
testing methodologies and service capabilities. Adam, Andre and the
rest of the QuietMove team haven’t provided us with anything tangible
yet, and we’ve asked. When we tried to contact them the first time we
couldn’t get hold of them, same for the second.We’re still waiting to
hear back from Adam at QuietMove with answers to our questions about
the QuietMove services. If we hear back, we’ll modify this blog entry
yet again to properly reflect what we feel is the truth. We’d also like
to make the professional suggestion that QuietMove think about their
professional image before they respond to anyone in public forum. Not
only does their reaction not look good but it could make prospective
customers turn away.Lastly, with respect to our comment about Marcin
Wielgoszewski, a QuietMove consultant being “Green”, he confirmed that
for us in an email. He wrote “You're right. I'm new and young and I'll
be the first to admit it. We can't all be born security gurus, and I'm
not trying to hide that, but me aside... what have you done besides
hide behind your gmail accountand troll FD? Thanks for pointing out
those two pages, two pages out of 100's thatwere posted a long time ago
and yes, are very out of date.”All in all it is our professional
opinion is still that QuietMove doesn’t have significant “strong” human
talent behind their services. They appear to be a very small company
run by someone that is not a “hacker” by nature but instead is a
systems administrator or your advanced IT guy with a good understanding
of Web Application Security. If you are looking to truly defend
yourselves against malicious hackers then we suggest finding a
different provider.Note: If we receive any information back from
QuietMove, other than what we’ve received in emotional reactions, then
we’ll consider adding that information to this review. If QuietMove can
provide us with proof of capability then we will accurately reflect
that capability here. We’re not in the business of bashing anyone even
if they bash us or disrespect us. We are in the business of exposing
Professional IT Security Service providers for what they really are to
the best of our ability.If you feel that QuietMove deserves a better
grade and can provide us with legitimate reasons as to why, then please
comment and we’ll consider it. (Even after all of their insults.)Score
Card (Click to Enlarge)
--
Posted By secreview to Professional IT Security Providers - Exposed at
1/01/2008 10:38:00 PM
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists