| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Jan 2008 11:47:27 -0600
From: "Jerry dePriest" <jerryde@...net>
To: "Nate McFeters" <nate.mcfeters@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -Exposed]
PlanNetGroup ( F )
not aimed at anyone in general. sorry Nate. just following a thread...
j.d.
----- Original Message -----
From: Nate McFeters
To: Jerry dePriest
Cc: SecReview ; full-disclosure@...ts.grok.org.uk
Sent: Monday, January 21, 2008 11:29 AM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
Was that aimed at me or secreview? I do NOT have MLK off, which is a travesty in and of itself, but I also feel it is important to challenge secreview on this matter.
On 1/21/08, Jerry dePriest <jerryde@...net> wrote:
nice to see some have mlk off and nothing better to do
----- Original Message -----
From: "SecReview" < secreview@...hmail.com>
To: <nate.mcfeters@...il.com>
Cc: <full-disclosure@...ts.grok.org.uk >
Sent: Monday, January 21, 2008 10:40 AM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
PlanNetGroup ( F )
> Nate,
> Your email was constructive and much appreciated. We'll go over
> the review a second time and incorporate some of your suggestions.
> Thank you for taking the time to provide so much good feedback.
>
>
>
> On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters
> <nate.mcfeters@...il.com> wrote:
>>SecReview,
>>My 2 cents on your review, although I will try to be nicer then
>>you were to
>>the reviewee. I'm completely skipping your section where you
>>talked to the
>>non-technical person, that's not even fair... sorta like reviewing
>>a
>>consulting group based on their website alone... oh shit, I forgot
>>you guys
>>do that too.
>>
>>Your comments on Question 1:
>>
>>We're not impressed with Michael's answer. First off we have no
>>idea what
>>the hell this means: "Depending on time and availability, we will
>>work on
>>finding any new vulnerability if we generate an anomaly of
>>interest." And we
>>totally disagree with "Currently, the focus is primarily on
>>discovering new
>>Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
>>on,
>>compared to Oracle." In fact, whatever is being described above
>>doesn't
>>sound anything like a vulnerability assessment, we're not sure
>>what kind of
>>service it is.
>>
>>The first portion "Depending on time and availability..." I don't
>>understand
>>what your confusion is. Basically the responder is saying that
>>he's willing
>>to do what the client will pay him for. Consulting is not a
>>cookie-cutter
>>gig, so sometimes clients want you to spend 5 minutes running
>>scans, some
>>want you to fuzz a proprietary protocol for as long as it takes.
>>I
>>personally don't think either end of the extreme is of value to
>>the client,
>>but you can hardly fault the respondent for delivering what the
>>client asks
>>for.
>>
>>The second, I don't agree the overall focus is on Oracle, but if
>>you read
>>the new (ZDnet, eWeek), or if you follow the conferences (HITB
>>Malaysia 2007
>>great Oracle presnetation), then you will know that Oracle is
>>catching a bit
>>of the limelight. Besides that, I don't think you are qualified
>>to say what
>>exactly a vulnerability assessment is... if the client is paying
>>you to
>>assess their database servers, then that is a vulnerability
>>assessment of
>>their database servers and that is what the work is. Different
>>clients have
>>different needs, and their are different specialty consulting
>>groups to help
>>meet those... can hardly fault him if his specialty is databases.
>>
>>Your Comments on Question 2:
>>
>>>>trying to be cute with your "Again, carefully!" bullshit?
>>
>>Come on guys... imagine you get called by a group of people asking
>>to assess
>>your company and you don't know who they are, wouldn't you try to
>>befriend
>>them if possible? A little professionalism would go a long way to
>>improving
>>your reviews.
>>
>>>>A penetration test is not "Anything Goes!"
>>
>>Umm... sorry guys, there is plenty of cause for performing a
>>Denial of
>>Service test. Keep in mind that availability is a large portion
>>of what
>>security is about. I don't think he's talking about using a bot
>>net to try
>>to take them down.
>>
>>>>it doesn't sound like Michael knows how to perform IDS evasion
>>testing.
>>Using a proxy is >>not going to help anyone evade detection, it
>>will just
>>help them to hide their IP address.
>>
>>Hmm... well, you're partially right. I suppose that if he had
>>enough proxy
>>servers and kept his scans very focused, he "might" be able to get
>>around an
>>IDS. In any case, not all clients want IDS evasion performed...
>>for
>>instance, they may want to test their incident response, or, they
>>may allow
>>the consulting group through the IPS/IDS in an effort to save on
>>time and
>>costs.
>>
>>Your response to question 3:
>>
>>>>From the answer above, it looks like they like the same tools as
>>most
>>people. That said, >>we've seen no proof of talent from anyone at
>>PlanNetGroup yet. So we're near certain that >>their deliverables
>>ARE the
>>product of automation.
>>
>>If they are the same tools that everyone use, how can you knock
>>them for
>>that? It seems to me that a group starts with a score of 0 in
>>your book,
>>and then if they impress you they get points. If you don't ask
>>the right
>>questions, I don't see how they could impress you. I concede, it
>>is
>>certainly possible that they have no skills, and that they use
>>automation,
>>but I don't think it is fair to say that at this point of the
>>review.
>>
>>Your response to question 4:
>>
>>>>Woha, it takes too much time to create a fake deliverable? Well
>>that's one
>>way to get out >>of it, but we don't buy it. Either way, at this
>>point we
>>don't feel that a sample report would >>help this review, we've
>>seen nothing
>>impressive yet.
>>
>>Ever tried to do so? It does take awhile, and it is risky. If
>>you miss
>>sanitization and release results of one of your clients you could
>>get sued.
>> Perhaps given the context of the investigation he didn't want to
>>give you
>>an old report and it would take to long and too much of his
>>billable time to
>>actually get this to you. That's not unreasonable. You aren't
>>paying him.
>> Again with the comments of nothing impressive yet. You are
>>asking generic
>>questions, how could anything be impressive? It's a phone call or
>>email and
>>you are asking questions that almost all consulting groups should
>>have
>>relatively the same answers to... I see nothing impressive in that
>>at all.
>>
>>Your response to question 5:
>>
>>>>It sounds like Michael has a difficult time sticking to the
>>scope of work.
>>Any time anyone >>performs Distributed Metastasis it should be
>>built into a
>>scope of work first. If it is not, >>then do not perform the
>>testing because
>>it is invasive and will get you into trouble. This is >>a big
>>negative point
>>in our eyes as its critical that providers are able to adhere to
>>the scope
>>>>of work for each specific engagement.
>>
>>I actually agree with most of this, but then again, as long as he
>>doesn't go
>>over the clients budgetary and time constraints and is providing
>>the
>>customer with value, I have no problem with going outside of scope
>>as long
>>as the client does not. Also, I don't know that it is a big
>>negative as you
>>say.
>>
>>Your response to question 6:
>>
>>>>It sounds like Michael is a corporate security guy and has no
>>experience
>>as a hacker.
>>Bit of a blanket statement I'd say, but OK, let's assume you are
>>correct
>>>>Certifications hold little to no water when it comes to real IT
>>security.
>>Agreed, but you are totally putting words into his mouth. He
>>basically says
>>the same thing by calling the CISSP a definition test. Why do
>>that? Most
>>people in security have the certs... most realize they are worth
>>nothing and
>>don't really test tech knowledge, but instead test business
>>knowledge.
>>>>What does hold water is experience and from what we can tell,
>>Michael has
>>no real hacker >>experience.
>>Please define "no real hacker experience". If you mean he isn't
>>31337 like
>>you guys, then OK. BTW, most clients aren't just paying for "real
>>hacker
>>experience" they're also paying for the business side, i.e. what
>>is my risk,
>>how can I mitigate, etc. A good team has both people.
>>
>>On your response to question 7:
>>
>>Do you resell third party technologies?
>>
>>>>We don't think that it is a good idea that Professional IT
>>Security
>>Providers sell third party >>technologies. Specifically because
>>they become
>>biased towards a specific technology and >>push that technology as
>>a method
>>of remediation when better methods might already exist.
>>Agreed. But that said, what if your third-party tech. has nothing
>>to do
>>with the main thrust of your consulting work? The question is
>>pretty vague.
>>
>>On your response to question 8 and 9:
>>
>>Ok, I'll buy that you have cookie cutter definitions from google
>>of those
>>flaws and that his definitions don't fit. I'll even buy that you
>>make a
>>good point when you say EIP overwrite is not the only method of
>>exploitation
>>(especially these days), but I'm wondering what you expected.
>>Should he
>>have rattled on and on about how to exploit b0f in an XP SP 2
>>environment?
>> Talk to you at length about DEP? Bit ridiculous expectations.
>>Hell, while
>>your at it, why didn't you ask him about integer overflows? Off-
>>by
>>one/few/many exploits? Heap overflows? Why not have him recite
>>the Heap
>>Fung Sheui method to you? What about double free flaws, dangling
>>pointers,
>>etc. etc. etc. Let's be serious here, unless you are contracted
>>by
>>Microsoft or another major software vendor, you probably don't pay
>>the bills
>>by doing your own research, so... does this really matter? Sure,
>>it's
>>great... I'd like to know that consultants I was paying top dollar
>>to knew
>>about this, but if he comes on site and spends 3 weeks trying to
>>find an
>>integer overflow, I'm going to be pissed.
>>
>>Disclaimer:
>>I'm not a client of PlanNetGroup. Also, I don't think what you
>>are trying
>>to do is a terrible thing, there's lots of snake oil being sold in
>>the
>>commoditized security market out there, but I disapprove of your
>>professionalism and your methods. Also, I believe the list is
>>still waiting
>>for you to credentialize yourself/yourselves. That still hasn't
>>seem to be
>>grasped here. Look, if you're someone people respect, then maybe
>>people
>>will buy your reviews, but somehow I doubt that is the case. I'm
>>basing
>>that view off of the content of your website and the fact that you
>>still
>>have not credentialized yourself as the list called for so long
>>ago. Do
>>that, and I will re-review my review of your reviews.
>>
>>Nate
>>
>>On Jan 20, 2008 7:17 PM, secreview <secreview@...hmail.com> wrote:
>>
>>> The PlanNetGroup is a Professional IT Security Services Provider
>>located
>>> at http://www.plannetgroup.com. <http://www.plannetgroup.com/>
>>One of our
>>> readers requested that we perform a review of the PlanNetGroup,
>>so here it
>>> is. It is important to state that there isn't all that much
>>information
>>> available on the web about the PlanNetGroup, so this review is
>>based mostly
>>> on the interviews that we performed.
>>>
>>> The PlanNetGroup was founded by Jim Mazotas of Ohio USA
>>according to this Affirmative
>>> Action Verification Form< http://odnapps01.odn.state.oh.us/das-
>>eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b
>>8525735d00607a6d?OpenDocument>.
>>> We called Mr. Succotash and spoke with him for about an hour
>>about his
>>> company, here's what he had to say.
>>>
>>> When we spoke with Jim Mazotas we asked him how he defined a
>>Penetration
>>> Test. His answer wasn't really an answer at all but rather was a
>>bunch of
>>> technical words strung into sentences that made no sense. Here
>>is what he
>>> said for the most part. We can't give you an exact quote because
>>he
>>> requested that some of the information related to clients, etc
>>be kept
>>> confidential.
>>>
>>> "We get to target object, where we go with that is based upon
>>the client's
>>> comfort level. We grab banner information, backend support
>>information, and
>>> other kinds of information. During a penetration test we most
>>will not
>>> penetrate. Most mid level companies will not want penetration."
>>– Sanitized
>>> Quote from Jim
>>>
>>> Not only do we not understand what Jim said, but he'd be better
>>off saying
>>> "I don't know" next time instead of looking like an idiot and
>>making up an
>>> answer. This goes for all of you people that get asked technical
>>questions.
>>> If you say "I don't know" at least you won't look like a fool.
>>Anyway.
>>>
>>> When we asked Jim to define a Vulnerability Assessment, we
>>became even
>>> more flustered. Again his answer was like a politician trying to
>>evade a
>>> question with a bunch of nonsensical noise. Again, we've
>>sanitized this at
>>> Jim's request.
>>>
>>> " A Vulnerability Assessment is more a lab based environment
>>type test.
>>> Analyze servers and all nodes that are a true vital asset to the
>>company and
>>> assess the vulnerability In a very planned out manner. This is
>>done in a lab
>>> based environment." – Sanitized Quote from Jim
>>>
>>> Again, next time say "I don't know" because now you look like an
>>idiot.
>>> Nobody expects you to know everything, but when you make shit up
>>and try to
>>> fool people, its insulting. To be fair to Jim, he did say that
>>he was not
>>> technical, but we didn't get technical here. As the founder of
>>the business
>>> he should at least know what his different service boundaries
>>are and how
>>> his services are defined.
>>>
>>> When we asked Jim if his team performed Vulnerability Research
>>and
>>> Development, he said that they did not have the time because
>>they were
>>> "fully booked". His primary customer base includes state
>>government and a
>>> few private sector businesses. Unfortunately, we can't disclose
>>who his
>>> exact customers are. He did say that he provides Network
>>Management Services
>>> and Wireless Management services for many of his clients. Sounds
>>more IT
>>> related than Professional Security related.
>>>
>>> When we finished with our call to Jim we asked him if he'd be
>>kind enough
>>> to give us contact information for someone more technical in his
>>company. He
>>> told us that he'd be happy to arrange a call with someone. At
>>the end, we
>>> didn't end up calling anyone but instead shot a few emails back
>>and fourth.
>>> The rest of this review is based on those emails.
>>>
>>> We decided to ask the same questions to Jim's technical expert.
>>We know
>>> who his expert is, but we assume that he wants to stay anonymous
>>because he
>>> signed his email with "Jason Bourne". So for the sake of this
>>interview
>>> we'll call him Michael. Here's the email from Michael:
>>>
>>> -) How do you perform your vulnerability assessments?
>>>
>>> "* Carefully! :) Typically, we will work with the customer to
>>define the
>>> scope of the assessment; limitations to OS, Network Equipment,
>>Web
>>> Server, etc. This could be a combination of components
>>(depending on
>>> scope), the real goal ultimately with this is to assess the
>>patching
>>> effort of a customer. Depending on time and availability, we
>>will work
>>> on finding any new vulnerability if we generate an anomaly of
>>interest.
>>> Currently, the focus is primarily on discovering new Oracle
>>> vulnerabilities - as MS SQL 2K5 is more difficult to beat on,
>>compared
>>> to Oracle. Within vulnerability assessments, we disregard any
>>attempts
>>> to evade IDS, IPS, etc."
>>>
>>> We're not impressed with Michael's answer. First off we have no
>>idea what
>>> the hell this means: "Depending on time and availability, we
>>will work on
>>> finding any new vulnerability if we generate an anomaly of
>>interest." And we
>>> totally disagree with "Currently, the focus is primarily on
>>discovering new
>>> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
>>on,
>>> compared to Oracle." In fact, whatever is being described above
>>doesn't
>>> sound anything like a vulnerability assessment, we're not sure
>>what kind of
>>> service it is.
>>>
>>> -) How do you perform your penetration testing?
>>>
>>> * Again, carefully! The definition that I use with customers is -
>>
>>> Anything Goes! In addition to attempting to locate missing
>>patches,
>>> vulnerable IOS's, applications, etc - we will perform an
>>assortment of
>>> timed attacks, attempt to spoof trusted connections, or even
>>perform
>>> social engineering - like dropping a few pre-trojan'd usb data
>>sticks
>>> outside of a customer service area, a data center, etc. The only
>>thing
>>> that we do not perform, typically, is denial of service style or
>>type of
>>> attacks. We have had only one customer that we felt was in the
>>position
>>> to handle such a test and it was performed against their
>>disaster
>>> recovery infrastructure, not production."
>>>
>>> Michael, why are you trying to be cute with your "Again,
>>carefully!"
>>> bullshit? A penetration test is not "Anything Goes!", if that's
>>how you
>>> define it then I don't want you anywhere near any of my
>>networks. And why
>>> the hell would you perform a Denial of Service attack against
>>anyone?
>>> Everybody can be knocked off line if you fill up their pipe. You
>>scare us
>>> man!
>>>
>>>
>>> -) How do you perform evasive IDS testing?
>>>
>>> "* We use a series of proxy servers to attempt to perform basic
>>hacking
>>> techniques; port scans, blatant attacks, etc. We are typically
>>going to
>>> look for TCP resets as a means to evaluate if IDS is present and
>>> possibly to find if IDS performs blocking activity. Often times,
>>if a
>>> system in a trusted DMZ can be compromised and used as a proxy
>>> (exploiting a relationship or rule within a firewall) or an SSH,
>>SSL,
>>> encrypted tunnel can be established to a server behind the IDS
>>sensor
>>> than we can successfully pull off an attack without the
>>customers
>>> security staff even knowing."
>>>
>>> It doesn't sound like Michael knows how to perform IDS evasion
>>testing.
>>> Using a proxy is not going to help anyone evade detection, it
>>will just help
>>> them to hide their IP address. If the target network or
>>application is being
>>> protected by an IPS device, then the IP that they are attacking
>>from will be
>>> shunned just the same. So, we understand that the PlanNetGroup's
>>expert
>>> hasn't a clue as to how to evade IDS. (Michael, did you get your
>>answer from
>>> Google?)
>>>
>>> -) What tools do you favor?
>>>
>>> "* We really do not favor any tools. The focus of our effort
>>(Assuming we
>>> are performing a pen-test or assessment) is to analyze a
>>situation and
>>> choose the best tool for the end result or compromise. I will
>>use commercial
>>> applications, such as AppScan, WebInspect, even ISS. There are
>>however
>>> plenty of freeware, low-cost tools that we use; nmap, nessus,
>>metasploit -
>>> ultimately, I find that an internet browser and a telnet prompt
>>will suffice
>>> for much of the testing. It ultimately gets back to interpreting
>>the results
>>> and adjusting the testing accordingly. We make it a point to try
>>out new
>>> freeware tools on every assignment. The more tools that we know
>>of and can
>>> test with opens our options if in the future a situation best
>>suited for a
>>> tool presents itself."
>>>
>>> Every business that delivers security services has a set of
>>tools that
>>> they use. These tools change from business to business, but
>>common ones are
>>> nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From
>>the answer
>>> above, it looks like they like the same tools as most people.
>>That said,
>>> we've seen no proof of talent from anyone at PlanNetGroup yet.
>>So we're near
>>> certain that their deliverables ARE the product of automation.
>>>
>>> -) Can you provide us with sample deliverables? (sanitized)
>>>
>>> "* No, too much time. Even to sanitize creates an opportunity
>>for a
>>> liability in the event that a customer name is exposed ...
>>accidents do
>>> happen! I will say that we do not take dumps from applications
>>and
>>> regurgitations the information on paper. We limit our executive
>>summary to 6
>>> pages at most and attempt to keep the entire report limited to
>>25 pages in
>>> total. Our goal with a deliverable is to get the precise
>>information to the
>>> key stake holders so that they can make a decision."
>>>
>>> Woha, it takes too much time to create a fake deliverable? Well
>>that's one
>>> way to get out of it, but we don't buy it. Either way, at this
>>point we
>>> don't feel that a sample report would help this review, we've
>>seen nothing
>>> impressive yet.
>>>
>>> -) Do you offer the option of performing Distributed Metastasis?
>>>
>>> "* No, not really. This is my decision as in a previous life I
>>got walked
>>> out of Bell Atlantic Mobile (Verizon Wireless) using this
>>technique when I
>>> compromised their Unix infrastructure by compromising the rlogin
>>function
>>> (on all Unix servers, across all data centers). There is no
>>substitute for
>>> experience, especially bad ones!"
>>>
>>> It sounds like Michael has a difficult time sticking to the
>>scope of work.
>>> Any time anyone performs Distributed Metastasis it should be
>>built into a
>>> scope of work first. If it is not, then do not perform the
>>testing because
>>> it is invasive and will get you into trouble. This is a big
>>negative point
>>> in our eyes as its critical that providers are able to adhere to
>>the scope
>>> of work for each specific engagement.
>>>
>>> -) What is your background with relation to information
>>security?
>>>
>>> "* Too long, too boring. Yeah got the CISSP (nice vocabulary
>>test), but
>>> had to as I worked for DOD. Got a number of Certifications (I
>>have a stack
>>> almost an inch thick and only get into them about once a year to
>>throw
>>> another couple on top of the previous ones - too much alphabet
>>soup for me,
>>> but bosses and customers like it. Spoke at a number of
>>> European conferences, but found too many people did not
>>understand a word
>>> I was talking about, so I got tired of that and quit that scene.
>>My outlook
>>> on security has changed, to the point that I will advise
>>customers of their
>>> risk, attempt to make it practical - but if they make a
>>conscious choice not
>>> to listen - I do not fret over it.?"
>>>
>>> It sounds like Michael is a corporate security guy and has no
>>experience
>>> as a hacker. Certifications hold little to no water when it
>>comes to real IT
>>> security. What does hold water is experience and from what we
>>can tell,
>>> Michael has no real hacker experience.
>>>
>>> -) Do you resell third party technologies?
>>>
>>> "* No, but kind of wished that we would. I think that it would
>>help with
>>> sales."
>>>
>>> We don't think that it is a good idea that Professional IT
>>Security
>>> Providers sell third party technologies. Specifically because
>>they become
>>> biased towards a specific technology and push that technology as
>>a method of
>>> remediation when better methods might already exist.
>>>
>>> -) Can you tell me why the EIP is important?
>>>
>>> "* The EIP controls an applications execution. If an attacker
>>can modify
>>> the EIP while it is being pushed on the stack then the attacker
>>*could*
>>> execute their own code and create a thread (aka. a buffer
>>overflow condition
>>> exists). I had a good refresher this past year at Blackhat with
>>a course run
>>> by Saumil Shah - he had an interesting buffer overflow
>>> for the Linked-In client."
>>>
>>> The EIP is the Instruction Pointer for the x86 architecture. The
>>purpose
>>> of the EIP is to point to the next instruction in a particular
>>code segment.
>>> If the EIP can be overwritten then the flow of control of an
>>application can
>>> be changed. In most cases this can lead to the execution of
>>arbitrary code
>>> on the targeted system. Hackers use this to penetrate vulnerable
>>systems.
>>>
>>> -) Can you define a format string exploit?
>>>
>>> "* A format string exploit leverages what is considered a
>>programming
>>> bug. If input is not sanitized, an attacker can perform calls to
>>the
>>> stack; read, write, etc without knowing details about the EIP."
>>>
>>> Unfortunately this answer isn't accurate or detailed enough as
>>almost all
>>> software vulnerabilities are the result of user input that is
>>not properly
>>> sanitized or validated. A format string condition occurs when a
>>user inserts
>>> a format token into a C based application and that input is not
>>properly
>>> sanitized. Hence why it is called a format string vulnerability.
>>When that
>>> input hits a function that performs formatting, such as printf()
>>the input
>>> is interpreted in accordance with the format tokens. Sometimes
>>this can be
>>> used to write arbitrary data to arbitrary memory locations. The
>>EIP isn't
>>> the only valuable memory location.
>>>
>>>
>>>
>>>
>>> If you've managed to get this far, then you've survived reading
>>Michael's
>>> answers to our questions. We're not going to spend much more
>>time writing
>>> this review because by now we've formed our opinion. We did take
>>a quick
>>> look at the PlanNetGroup's website and as with their people, we
>>were not the
>>> least bit impressed.
>>>
>>> Our opinion of the PlanNetGroup is that they'd have a hard time
>>hacking
>>> their way out of a wet paper bag. Their security expert is not
>>an expert by
>>> our standards, as he did not properly answer any of our
>>questions or help to
>>> define any of their services. We're pretty sure that the
>>PlanNetGroup could
>>> run nessus and offer basic vulnerability assessment services.
>>We're also
>>> pretty sure that they could offer IT services at some level. But
>>we'd hardly
>>> call them subject matter experts and wouldn't recommend their
>>services to
>>> anyone.
>>>
>>> If you are using the PlanNetGroup services and feel that we have
>>not given
>>> them a fair review then please comment on this post. We will
>>consider your
>>> comments. We have to say that Jim and Michael were both very
>>polite,
>>> friendly, and respectful, but we can't let their kind nature
>>impact our
>>> opinion of their service delivery capabilities. We think that
>>they should
>>> sit down and try to define their services properly. We also
>>think that they
>>> should hire an ethical hacker with real world experience if they
>>intend to
>>> protect anyone.
>>>
>>> Score Card (Click to Enlarge)
>>>
>>>
>>>
>>< http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS
>>QlSXs/s1600-h/96YV5X.jpeg>
>>>
>>> --
>>> Posted By secreview to Professional IT Security Providers -
>>Exposed<http://secreview.blogspot.com/2008/01/plannetgroup-
>>f.html>at 1/20/2008 04:21:00 PM
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
> Regards,
> The Secreview Team
> http://secreview.blogspot.com
>
> --
> Love Graphic Design? Find a school near you. Click Now.
> http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
> Professional IT Security Service Providers - Exposed
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists