lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060219131927.GA23512@eltex.net>
Date: Sun, 19 Feb 2006 16:19:27 +0300
From: ArkanoiD <ark@...ex.ru>
To: Seth Breidbart <sethb@...ix.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking


nuqneH,

Actually, both are quite useless and non-informative.
(should i explain?)
"fixing the holes" is, for my estimation, hardly more than 10% of
computer security process. Thanks to stupid hollywood movies, 
customers are almost completely unaware of that :-(
They still think a computer security expert is a person who performs
attacks and provides a report if he succeeds.

On Fri, Feb 17, 2006 at 12:43:49AM -0500, Seth Breidbart wrote:
> "Marcus J. Ranum" <mjr@...um.com> wrote:
> 
> > If you're trying to understand the security properties of a
> > system by breaking into it, you not producing valuable
> > reports, anyhow. All you are doing is telling them where
> > to put the next band-aid.
> 
> I know of too many (more than none is too many) examples where a
> company went to a Big Consulting Firm and asked for a report on the
> security of their systems.  Many tens of kilobucks later, they got a
> fancy bound report that said "we couldn't break in" followed by 200
> pages of ass-covering by the consulting firm.  Then they went to a
> real security expert, who spent one day attacking their system and
> gave them a report saying "here are the five easiest ways I found to
> break into your system.  Fix them and call me back."
> 
> You might not consider that valuable; but how do you consider the
> expensive fancy bound completely worthless report?
> 
> Seth


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ