lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Feb 2009 09:24:29 -0500
From: Smoking Gun <pentesterkunt@...il.com>
To: scadasec@...s.infracritical.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [SCADASEC] 11. Re: SCADA Security - Software
	fee's

On Thu, Feb 19, 2009 at 7:15 PM, simon_lists <simon_lists@...soft.com> wrote:

> Joshua,
>        I understand why you wrote what you did but you're wrong. Let me
> explain...
>
>        Today the security industry is a confused and immature place.  Most
> vendors offer half assed services that sell for half assed prices.

Ironically, your own quote"company"quote offered penetration testing
services at the insane pricing scheme of "we'll pentest0r joo for free
and if we find something you can pay us to find other holes!".


> They advertise those services as if they are high quality, when they
> are not.  Few vendors offer high quality services and their prices are
> higher than the half-assed. The problem is that the consumer can't
> tell the difference between the half assed service and the high
> quality service because of how the crap service is marketed.  So, to
> the uneducated both look like a ferrari, one is a kit-car. Of course
> the uneducated people are going to choose the lower quality service.

Gullibility is nothing new nor is FUD. See my prior response in the
paragraph above.

>        That said, its our experience as a high quality vendor that once we
> prove / demonstrate the difference in our services when compared to
> the half-assed that customers are willing to pay for real quality.

Quality vendors in the security industry are a dime a dozen. It's usually
the uninformed "security monkeys" damaging the reputations of these
companies. When I think of "quality vendors", I think of those who do
have a real world comprehension of security outside of ramblings on a
mailing list. Real security professionals rarely have the time to shoot
off dozens of email ramblings on a daily basis - you know the kind like
your protege Kevin (don't call him black) Finestere writes. So let's have
a manager's view of your purported "quality services" as only you seem
to think you can offer it.

On your page it states: "Statistics show that companies who do not
invest in good I.T. security will fall victim to at least one serious
compromise." Can you show us where this statement was derived from;
anyone can have fun with numbers, statistics mean little; how have you
come to this conclusion, how many clients do you supposedly have or
have studied, to draw this conclusion since you make no reference to
your source of information.

Netragard: "Most of these companies feel that they can not justify the
cost of maintaining strong I.T. security for their business." Woe is me in
my  understanding of how a company's feeling. Do they feel (companies)?
How do you know, how many companies have you talked to? An individual
in a company is no indicator of the overall posture of a company.

Netragard: "The reality is that the cost of good I.T. security is equal to a
fraction of the cost of a single successful compromise." The harsher
reality is, you can never judge the reasoning behind a company's staff
to not implement the appropriate controls. How many large company's
have you worked for in your lifetime - and by large I mean in the 1,000's.
There are plenty of obstacles in a company which are preventative to
a strong security posture. There are facts like "implementing this new
technology will cost us in the millions via way of training, it will disaffect
legacy systems, clients may jump ship out of frustration therefore for
this one technology, we may have to scrap it and put in place for it
a compensatory control" Perhaps you should learn about complexity
management


> Its just a matter of arming customers with information so that they
> can make the decision thats right for them. In most cases our
> customers are interested in real security, they can't afford a
> compromise, so they end up working with us. In some cases the customer
> just wants a check in the box, those customers go with the cheaper
> price.

Your comments and those of your fellow "security bandits" humor
me. The mechanisms in which you correlate mom and pop like
businesses with large corporations is amazing. You should be in
sales.

>        If customers didn't care about quality and they wanted the cheap
> service then we wouldn't be in business. Right now, we're a lot more
> busy than most security firms and the load is only increasing. So you
> tell me, do people care about quality? Our customers find us because
> of the work we do for other people, quality is our trademark.

Well pitched snake oil sounding paragraph.

>        And don't insult the consumers by saying that they want the cheap
> service, people aren't as stupid as you seem to think.
>

There ARE actually people who are that stupid and the blind leading
the blind is a sad yet funny sight. So as I asked your friend Kevin,
you know the "don't call me black - I don't even work in the security
industry but sure answer a ton of questions in the field I don't even
work in" Kevin, how much experience do you *really* have outside
of being legends in your own mind.

As I sift through years of mailing list threads, I've seen nothing to
lead me to believe you're any more of an expert than a script kiddie
pitching tools on a flash based website and calling yourself a
quote"security expert"quote". The irony of Kevin's prior statement
speaks for itself "Just so you know I do have a day job, 9-6 that has
nothing to do with security." Stop the press right there, isn't that
akin to me giving out medical advice on say a medical mailing lists
without even working in the medical industry? How, better yet why
should I take him, you or your company serious. For starters, it's
sounding more like you have an IRC based company, your workers
(who don't work in the security field as Kevin stated) work a 9-6
elsewhere and have personal issues of race when questioned about
the validity of their status in the industry.

On prior matters of your stated "coward" comment, it has little
to do with being a coward and more of dealing with due diligence.
I won't post my identity not to protect myself, but the company
I work for. I don't need ping -f like DoS attacks coming into my
infrastructure because you and your protege Kevin feel slighted
about me questioning your competence in the industry. For me,
I know those who need to be known, the security has always
been a small industry, and you sir, you're not even on my level
technologically, let alone on the level you're portraying yourself
to be on these mailing lists. Anyone can go back re-read the
numerous posts you clowns (Kevin, you, Adriel *Netragard*)
make and ascertain this to be factual - you have little real
world skills in this industry, proceed with caution.

There is a snippet of a song perhaps Kevin can relate to, this
I will throw out there since he has an internal racial inferiority
complex: "We aint no haters like you... Bow Down to some
nigga's that's greater than you" (Westside Connection) Ending
on that note, thank you for playing the game with me and
enforcing the facts we already know, you guys are all talk
nothing more and nothing less. Definitely not to be taken
serious.

PS, say hello to Loki for me will ya.


>
> On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote:
>
>> Oh enough with the holier than thou attitude, Kevin !!!You work for
>> money
>> just like any vendor, though the product you vend is a bit different.
>> Let's say you were offered 750$ an hour for penetrating a community
>> college
>> network (they got a nice donation for that) or 200$ an hour for
>> penetrating
>> a local utility. Would you "lose" 500$ (time the hours) just to be
>> more
>> "important"? Ethical? The mighty dollar is also effecting your
>> decisions.
>> You call for the vendors to take a hit for a few licenses. Are you
>> willing
>> to do pro-bono pen-testing just to help a vendor improve his product,
>> without getting the publicity for it? No, right? So why do you
>> expect them
>> to act differently?
>> Today's post modern market is geared towards minimum price. People
>> are not
>> even expecting quality anymore. Regulation can help, even a lot, so
>> you need
>> decent politics to push for effective regulation. Pushing the full
>> blame at
>> the vendors is just kicking the nearest object (and yourself, Kevin,
>> since
>> you are also a vendor).
>>
>> Joshua M.
>>
>> On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) <
>> kf_lists@...italmunition.com> wrote:
>>
>>> Thats exactly my point Larry.. there isn't any incentive. No
>>> regulation , no worries.
>>>
>>> I'm sure Citect could have easily been driven from the market and
>>> based on the wild claims I heard during my disclosure process perhaps
>>> they were pretty close to it.
>>>
>>> Besides lack of incentive its sooooooooooo much easier to chastise
>>> the
>>> big meanies that publish security information and react on an as
>>> needed basis, rather than actually doing something that may impact
>>> the
>>> "bottom line" all the while actually improving the status quo.
>>>
>>> /me wonders when pride and devotion to ones work and craft gave way
>>> to
>>> making the all mighty dollar.
>>> -KF
>>>
>>>
>>> On Feb 19, 2009, at 1:56 PM, ljknews wrote:
>>>>
>>>> Speaking from the viewpoint of a software vendor, let me ask
>>>> where the incentive is to care about such things ?  Where are
>>>> the examples of prominent products being driven from the market
>>>> due to a lack of software quality ?
>>>> --
>>>> Larry Kilgallen
>>>> _______________________________________________
>>>> To unsubscribe from this mailing list, please visit:
>>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>>
>>>> To review our usage policy, please visit:
>>>> http://www.infracritical.com/usage-scadasec.html
>>>
>>> _______________________________________________
>>> To unsubscribe from this mailing list, please visit:
>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>
>>> To review our usage policy, please visit:
>>> http://www.infracritical.com/usage-scadasec.html
>>>
>> _______________________________________________
>> To unsubscribe from this mailing list, please visit:
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
>> To review our usage policy, please visit:
>> http://www.infracritical.com/usage-scadasec.html
>
>
>
>        Simon Smith
>        simon_lists@...soft.com
>         --------------------------------------
>
>        Subscribe to our blog
>         http://snosoft.blogspot.com
>
>
>
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our usage policy, please visit:
> http://www.infracritical.com/usage-scadasec.html
>



-- 
Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists