lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Jan 2012 02:21:20 -0500
From: Valdis.Kletnieks@...edu
To: Laurelai <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:

> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore.

How safe a bet, exactly?  Safe enough to bet your business on it? Microsoft has
$40B in cash handy to survive on if something goes wrong.  What's *your* Plan B
if the kid you hired blabs about his gig and one of his buddies rapes your net using
the credentials you gave the kid to do the pen test?

>                                                     Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong?

A really clever guy by the name of Edsgar Dyjkstra once said "Testing can prove
the presence of bugs, but not their absence".  If you're getting a pen test
done by somebody who says your network is safe, you're being ripped off. First,
all networks have holes - if the pen tester comes up empty, it doesn't mean
your net is secure, it means finding the holes needs somebody with better
skills. Second, any pen tester who says "the net is safe" is a rip-off artist.
At best, they can say "we did not find any of the following vulnerabilities we
tested for. There may be vulnerabilities present that we were unable to find
under the rules of engagement, which limit the scope and total time and money
spent".

Also, It's not just about who do you trust more to find the holes, it's who you
trust to be professional while they do it.

Or the "put your money where your mouth is (literally)" version - which one
would you rather have working for your bank when they find a security hole that
allows them access to your checking account?


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ