lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <EA7C77F97CC73F4AAC856A4595DF34E20B8FA107@swilnts801.wil.fusa.com>
From: Glenn_Everhart at bankone.com (Glenn_Everhart@...kone.com)
Subject: Re: NMRC article and followup

Ah, some of us in banks are aware of fraud and working on some
answers. We'll see if they help.

Recall my analogy of the work of info security to that of building
fortifications. The first guy who thought of wide low sloped earth
banks to resist cannon fire probably didn't want to give his adversaries
advance notice in which to devise digging machines either.

Didn't care for the white paper though. I prefer to look at how
people live and wrt computer security, how often they ask what
the security implications of anything they do are. "By their fruits
shall ye know them..." (Also: "Use the source, Luke!")

;-)

Glenn Everhart


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of George
Capehart
Sent: Friday, August 06, 2004 11:49 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly
bliss....


On Thursday 05 August 2004 18:49, hellNbak allegedly wrote:
> On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy  
wrote:

<snip>

>
> The only mistake you make above is that you paint the entire industry
> with the same brush.  Yes, I and a lot of people make money in this
> industry. We took a hobby and made it a job -- why not?  Why not get
> paid for something you enjoy.  Working in this industry does not
> automatically make you a false profit as you explain above.
>
> Over the long term -- no one will benifet -- and I dont care how big
> the paycheck is -- telling a client what they want to hear is not the
> way many of us choose to make a living.  Sure, there are a lot of
> people in EVERY industry that are willing to push ethics aside and do
> what it takes for that paycheck but I know I can look myself in the
> mirror and say that I am not one of those people.
>
> Eventually the false prophets are exposed, sure they already got
> their paycheck and have moved on to the next sucker but eventually
> they run out of suckers and money.
>
> > What do you hope to achieve, or how do you believe your opinion is
> > being relevant or novel, if you come to this audience, and state
> > that CERT is no longer credible, and is a bunch of crooks who live
> > off selling advance vulnerability warnings? Or that Microsoft is
> > not exactly particularly devoted to improving security of their
> > products and protecting their customers?
>
> I hoped to stir some shit up, perhaps give the guys over at
> secure@...rosoft.com a bit of a kick in the nuts as there was a time
> that they were making at least a little progress.  I was hoping to
> draw enough attention to this issue that perhaps someone from one of
> the major banks will one day sit down and correlate the connection
> between vulnerabilities such as this and losses due to fraud.  The
> only way that any vendor is going to be forced to actually care about
> security and actually care about users is when those users mean lots
> of $$$ to them.

There just might be some hope . . . check out this white paper from PWC 
on "Integrity-Driven Performance."
http://www.cfodirect.com/cfopublic.nsf/f19696b6432afb8b8525690a000c9f67/86a39deb761f514d85256e3f00641442/$FILE/PWC_GRC_WP.pdf

(URL might wrap).  You can get it from Google if you search on 
pwc_grc_wp.pdf . . .

Cheers,

/g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ