lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d141dfb90902230657v76834456u5abf49bb3c7361a4@mail.gmail.com>
Date: Mon, 23 Feb 2009 09:57:25 -0500
From: Smoking Gun <pentesterkunt@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk, scadasec@...s.infracritical.com
Subject: Re: [SCADASEC] 11. Re: SCADA Security - Software
	fee's

On Sat, Feb 21, 2009 at 9:30 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Fri, 20 Feb 2009 09:24:29 EST, Smoking Gun said:
>
>> Ironically, your own quote"company"quote offered penetration testing
>> services at the insane pricing scheme of "we'll pentest0r joo for free
>> and if we find something you can pay us to find other holes!".
>
> And how, exactly, is that an "insane" pricing scheme?  If you think about
> it for a bit, it actually makes quite a bit of sense - Snosoft needs to prove
> they're in fact good enough to be able to find the holes you're paying them
> to find, or it doesn't cost anything.
>
> That *sure* as hell beats paying $100K for a pen test, and then finding out
> that you hired a bunch of asswipes who can't find holes.
>

Valdis, do you speak mainly to see your own threads. You seem to answer
hundreds of posts and the ratio of worthwhile posts to you rambling is a tad
bit insane. For starters, academia is extremely different from the business
world where SOX, GLBA and other regulatory controls weigh heavy. Sadly
you having to follow EDUCAUSE should know better than to make that sort
of comment which makes me wonder as to whether or not at this point you
simply like feeding trolls or simply respond to see your own writings.

Once upon a time I lived in the great city of New York. At the time there
was a business called "Crazy Eddie" and I remember the commercial, the
actor in the commercial and the slogan: "Crazy Eddie his prices are
INSANE!" followed by "Crazy Eddie he's practically giving it all away" The
issue with Crazy Eddie was, he was committing fraud as should be the
case with reckless so called security experts who come up with insane
ideas. http://en.wikipedia.org/wiki/Crazy_Eddie

The issue with this business practice is it almost always leads to a
a customer being delivered a shoddy security report with the customer
believing that a "scan here and a scan there" will show them the problems
in their infrastructure. Any tool that can be used can glean a potential
issue with anything from A-to-Z which can then be used to show some
form of "false" issue. You may get those companies who would believe
"Oh well if that's my only problem, here is your $1,000.00 thanks Mr.
Ethical Hacker!" False positive mitigated, issues still exists, compromise
occurs and now "real life" security "experts" are given a black eye due to
the information security whore idiots such as Simon and the rest of his
flunkies at SNOSoft.

Do you run a simple vulnerability scanner at Virginia Tech and call it a
day I would hope not for your students sake. I'm sure people in Ambler
Johnston or Shanks would be pretty pissed to see your level of due
care Valdis. Security is a lot more than plucking a tool off of Insecure's
website; aiming it an an IP and calling it a day. For starters most large
companies have their webservers and much of that infrastructure (the
forward facing infrastructure) completely segregated. So what will a
moronic "vulnerability" assessment for $1,000.00 gain me outside of
soupy snake oil "take the money and run" Crazy Eddie scams.

-
Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ