lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 2 Jan 2008 09:45:37 -0500
From: Adam Muntner <adam.muntner@...etmove.com>
To: Adam Muntner <adam.muntner@...etmove.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Secreview re-review of quietmove ( F ---)

Just to be clear the corrections to secreview reepex and Andre were  
intermingled.

The ones I mentioned were the ones secreview and reepex, the anonymous  
cowards too embarrassed by their own ignorant commentary to stand  
behind them, called out.

Dre thx for pointing out the ha.ckers.org posts. More evidence of  
secreview selective quotation and/or ability to 'research'

He can't even spell the name of the company he reviews correctly.

Secreview re-re-score-  
f---------------------------------------------------------------.

:)

Ho hum!

Adam Muntner
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

Sent from my iPhone

On Jan 2, 2008, at 9:32 AM, Adam Muntner <adam.muntner@...etmove.com>  
wrote:

> Andre is a friend but not an employee or representative of the  
> business- HOWEVER - There were a number of innacuracies in his  
> statements about me. A selection of corrections to statements are  
> below.
>
> - I never ran UPT
> - all the speculation about our methodology and pricing was wrong.
> - the quantity ofautomated vs hands on testing we perform are based  
> on what the customer is willing to pay for. Novel concept. We  
> explain carefully what can and can't be found. The customer select  
> their apporpriate level of risk acceptce based on the value of the  
> target of evaluation and their budget. We always try to go above and  
> beyond.
> - our overhead is low-no giant headquarters - we are virtual mostly  
> except for a rack cage. We don't have to support a giant marketing  
> team and don't do $20k trade show booths. As a result that isn't  
> built into our pricing.
> - I was never a 'uNIX admin' but did engineer one of the early  
> commercially avail Beowulf clusters - in 1998 - and have run some  
> unix boxes, meaning it took all of 3 hours a month of my time, but i  
> was not a 'unix admin' by any stretch of the imagination. The  
> opennsd posts were from what,10 years ago?
> More evidence of your poor arithmetic skills from the initial post.
> - the website wasn't updated because I am taking a vacation to NYC  
> and would rather enjoy myself than meet some 12 hour unmentioned  
> timetable to edit the website by an anonymous coward pfy.
> - they weren't insults, they were sarcastic though accurate  
> representations of you'd subpar ( at best) review capabilities
> - others but really, who cares? You are not interested in facts as I  
> will prove below.
>
> Your analysis is worthless. Several weeks ago you posted your  
> alleged methodology. It included contacting the vendor PRIOR to  
> review, which you didnt do. You also didnt notify us of the review.  
> I read it on fd myself.
>
> You sent a list of questions on new years day, after you posted the  
> review, and half a day later posted your re review without again  
> contacting me directly except with a monster list of questions - not  
> so much as a phone call. You alleged review was based on list noise,  
> not speaking with me.
>
> You still have yet to post your scoring methodology as promised. You  
> fail.
>
> Frankly I find the drama and anonymous weenie-waving on this list to  
> be tedious. FD is more a running joke than a productive mailing  
> list. Save the drama fo yo mama.
>
> On my timetable I'll respond to your questions.... To the list, not  
> to you directly. Frankly I don't trust you to represent them  
> accurately. Right now I'm going to visit the metropolitan museum of  
> art, and tonight go party - not answer your essay test. Sorry to  
> dissapoint.
>
> As a number of list members commented privately to me - you don't  
> deserve the attention.
>
> That said, if you can prove you will follow your own previously  
> stated methodology, I'll re review your review system. Following  
> your methodology I will post a f----------- score in 6-12 hours or  
> maybe sooner if you don't respond.
>
> That's a joke, son. ;)
>
> Adam Muntner
> Managing Partner
> QuietMove, Inc.
> http://www.quietmove.com
>
> Sorry for typos - sent from my 31337 jailbroken iPhone. It runs  
> unix. I guess that makes me a unix admin!
>
> On Jan 2, 2008, at 2:17 AM, secreview <secreview@...hmail.com> wrote:
>
>> Our first QuietMove review can be found here.
>>
>> QuietMove, located at http://www.quietmove.com is a Professional IT  
>> Security Services company that was founded by Adam Muntner, Jeffrey  
>> Rassas and James G. (Jim) Garvey, Jr. We’ve already performed one  
>> review of QuietMove but Adam Munter and his team didn’t like the r 
>> eview. As a result, we’ve gone back and revisited our data and are 
>>  producing this second, hopefully more accurate review.
>>
>> Our first point of criticism is still the QuietMove web-site. Their  
>> services are poorly defined, and even somewhat contradictory. For  
>> example, under their Penetration Testing section they nearly bash  
>> the use of Automated tools. Shortly thereafter they go on to say  
>> that they offer services for nearly the same cost as “cookie-cutte 
>> r” services.
>>
>> Well, we still have a problem with that. The overhead cost of using  
>> quality talent is always going to be far greater than the fees  
>> charged by vendors that sell automated scanning software. Any time  
>> someone tells us that they can offer “expert driven” services at  
>> the same price points or even nearly the same as a “cookie  
>> cutter” service, we say bullshit.
>>
>> Taking it a step further, we still stick by our previous opinion  
>> that the QuietMove website doesn’t have much to offer prospective  
>> customers in the way of useful information. The services shown are 
>>  very poorly defined; the grammar is still horrible, and frankly t 
>> he website is incomplete. Want to see what we mean, click on their 
>>  “Social Engineering” tab under their service offerings;  
>> you’ll notice that there is no description. We hope that their web 
>> site does not reflect the quality of their services.
>>
>> When Adam Muntner read our previous post where we commented on the  
>> QuietMove Website he responded in a reactive, emotional, and  
>> unprofessional manner. You can read his response to our first post  
>> here, insults and all. Unfortunately for Adam, his unprofessional  
>> attitude hurt QuietMove during this second review.
>>
>> Regardless, Adam did react to our website comments, and his  
>> reaction was as follows, verbatim:
>>
>> “Most of our clients are referred by others who are very satisfied 
>>  with the work we perform. Not by the website. It doesn't get a lo 
>> t of attention - were small but growing and focused on serving our 
>>  clients. I know basic HTML seems like the pinnacle of achievement 
>>  to you, but we aren't in the business of making pretty web pages. 
>>  We discuss our methodology with our clients-we don't post it on t 
>> he web. I know you were hoping to learn nimething. Hacking for dum 
>> mies might be more your speed, after you perfect your Cunt and Pas 
>> te skills.”
>>
>> During this second round of review, we were able to locate more  
>> information about Adam. We found several posts that Adam made to  
>> different mailing lists about FreeBSD, OpenBSD, Systems  
>> Administration, etc. We also found a rather nice PowerPoint  
>> presentation that Adam created that clearly defined specific  
>> security services. So we know that Adam is not an idiot, but we do 
>> n’t know if he’s actually a security guru. We’re also  
>> wondering why Adam doesn’t create the same quality content for his 
>>  QuietMove website as he did for his presentation?
>>
>> In tandem with Adam’s response to our initial review of QuietMove, 
>>  Adam also had other friends and associates respond. One of those  
>> people was Andre Gironda who had a lot of great things to say abou 
>> t QuietMove, but also made the unfortunate mistake of tainting his 
>>  credibility as a professional by directly attacking other vendors.
>>
>> Andre Gironda asked us who we are in one of his emails. He also  
>> indirectly accused us of exacting vengeance on QuietMove by  
>> performing a review. While we’ve never been accused of this before 
>>  by any of our other review subjects, we feel that we should state 
>>  for the record that this is not some sort of vengeance play.
>>
>> Andre Gironda also said that he can vouch for Adam’s 14 years of e 
>> xperience “and then some”. Apparently when Andre met Adam of  
>> QuietMove, Adam was working as a Unix Security Administrator for U 
>> nphamiliar. Territories (UPT), “a vulnerability research BBS that  
>> ran from 1989 – 1996. Also according to Andre Gironda “. It was  
>> a prominent place for information about vulnerability research. Ma 
>> ny held it in higher regard than Phrack magazine or any leading we 
>> bsite/magazine during that time period.”
>>
>> Sorry Andre, but we don’t agree with your statement about UPT. Eve 
>> n more importantly, we’re not sure how Adam’s experience as a  
>> Unix Security administrator (aka systems admin) will help him offe 
>> r professional IT Security Services. Adam needs to be able to prot 
>> ect his clients from real world hackers, not from failed tape back 
>> ups and disk crashes.
>>
>> Andre went on to say that many “small businesses such as QuietMove 
>>  have a hard enough time staying alive in this industry.” He said  
>> “I suggest you pick on someone your
>> own size even if you have a legitimate problem with QuietMove or  
>> Adam.” Our response is that we have no problem with Adam or QuietM 
>> ove. We found QuietMove by doing a google search for Penetration T 
>> esting.
>>
>> In a Different email Andre lost all credibility with us because he  
>> decided to directly attack other companies that we’ve reviewed tha 
>> t received higher grades. If you compare the score cards between Q 
>> uietMove and the other company that Andre bashes, you’ll see why t 
>> hey got the good grade. Anyway, here’s what Andre had to say  
>> (we’ll comment later):
>>
>> “Look, you rated Denim Group as A-. You must either work there - or
>> know the guys. Dan Cornell is a moron compared to Adam Muntner - and
>> his code is certainly worse (e.g. Sprajax).
>>
>> Adam and team know Burp Suite, use manual web application testing -  
>> in
>> addition to traditional dynamic and static analysis.
>>
>> I have seen Adam and crew using Fortify Software's SCA and Tracer
>> tools. I have seen them using Hailstorm ARC and modifying the
>> Javascript included in the SmartAttack library. I would call this a
>> best-of-breed security testing methodology.
>>
>> I have worked for many small companies myself who do not use ANY
>> automated testing, including both open-source and commercial tools. I
>> think this is stupid... and spent most of my time writing `for' loops
>> in shell just to get around their limitation on "not writing scripts
>> to automate things".
>>
>> I have also worked for small companies that "only" use scripting
>> languages, or only use "the best" scripting language (usually Ruby,
>> Python, or Perl) and write all their own automated tools. This is
>> also stupid -- especially when existing toolsets have lots of great
>> capability -- it's like re-inventing the wheel.
>>
>> Of course there are places that "only use" commercial automated  
>> tools,
>> but I haven't actually met one yet. When I do -- I'll go ahead and
>> post an obnoxious review about them. More people will read mine than
>> anything you do -- and with my name on it -- they are certainly bound
>> to take it a lot more seriously.”
>>
>> Andre lost all credibility with our team when he insulted the Denim  
>> Group. We contacted the Denim Group and spoke directly with one of  
>> their founders when we did their review. Not only were we very  
>> impressed with them, but they provided us with great detail about  
>> their testing methodologies and service capabilities. Adam, Andre  
>> and the rest of the QuietMove team haven’t provided us with anythi 
>> ng tangible yet, and we’ve asked. When we tried to contact them th 
>> e first time we couldn’t get hold of them, same for the second.
>>
>> We’re still waiting to hear back from Adam at QuietMove with answe 
>> rs to our questions about the QuietMove services. If we hear back, 
>>  we’ll modify this blog entry yet again to properly reflect what w 
>> e feel is the truth. We’d also like to make the professional sugge 
>> stion that QuietMove think about their professional image before t 
>> hey respond to anyone in public forum. Not only does their reactio 
>> n not look good but it could make prospective customers turn away.
>>
>> Lastly, with respect to our comment about Marcin Wielgoszewski, a  
>> QuietMove consultant being “Green”, he confirmed that for us in  
>> an email. He wrote “You're right. I'm new and young and I'll be th 
>> e first to admit it. We can't all be born security gurus, and I'm  
>> not trying to hide that, but me aside... what have you done beside 
>> s hide behind your gmail account
>> and troll FD? Thanks for pointing out those two pages, two pages  
>> out of 100's that
>> were posted a long time ago and yes, are very out of date.”
>>
>> All in all it is our professional opinion is still that QuietMove  
>> doesn’t have significant “strong” human talent behind their  
>> services. They appear to be a very small company run by someone th 
>> at is not a “hacker” by nature but instead is a systems  
>> administrator or your advanced IT guy with a good understanding of 
>>  Web Application Security. If you are looking to truly defend your 
>> selves against malicious hackers then we suggest finding a differe 
>> nt provider.
>>
>> Note: If we receive any information back from QuietMove, other than  
>> what we’ve received in emotional reactions, then we’ll consider  
>> adding that information to this review. If QuietMove can provide u 
>> s with proof of capability then we will accurately reflect that ca 
>> pability here. We’re not in the business of bashing anyone even if 
>>  they bash us or disrespect us. We are in the business of exposing 
>>  Professional IT Security Service providers for what they really a 
>> re to the best of our ability.
>>
>> If you feel that QuietMove deserves a better grade and can provide  
>> us with legitimate reasons as to why, then please comment and we’l 
>> l consider it. (Even after all of their insults.)
>>
>> Score Card (Click to Enlarge)
>>
>>
>>
>> --
>> Posted By secreview to Professional IT Security Providers - Exposed  
>> at 1/01/2008 10:38:00 PM
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ