Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NMRC article and followup

From: <Glenn_Everhart () bankone com>
Date: Fri, 6 Aug 2004 13:11:46 -0400
Ah, some of us in banks are aware of fraud and working on some
answers. We'll see if they help.

Recall my analogy of the work of info security to that of building
fortifications. The first guy who thought of wide low sloped earth
banks to resist cannon fire probably didn't want to give his adversaries
advance notice in which to devise digging machines either.

Didn't care for the white paper though. I prefer to look at how
people live and wrt computer security, how often they ask what
the security implications of anything they do are. "By their fruits
shall ye know them..." (Also: "Use the source, Luke!")

;-)

Glenn Everhart


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of George
Capehart
Sent: Friday, August 06, 2004 11:49 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Re: MS04-025 - Ignorance is truly
bliss....


On Thursday 05 August 2004 18:49, hellNbak allegedly wrote:

On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy  

wrote:

<snip>



The only mistake you make above is that you paint the entire industry
with the same brush.  Yes, I and a lot of people make money in this
industry. We took a hobby and made it a job -- why not?  Why not get
paid for something you enjoy.  Working in this industry does not
automatically make you a false profit as you explain above.

Over the long term -- no one will benifet -- and I dont care how big
the paycheck is -- telling a client what they want to hear is not the
way many of us choose to make a living.  Sure, there are a lot of
people in EVERY industry that are willing to push ethics aside and do
what it takes for that paycheck but I know I can look myself in the
mirror and say that I am not one of those people.

Eventually the false prophets are exposed, sure they already got
their paycheck and have moved on to the next sucker but eventually
they run out of suckers and money.


What do you hope to achieve, or how do you believe your opinion is
being relevant or novel, if you come to this audience, and state
that CERT is no longer credible, and is a bunch of crooks who live
off selling advance vulnerability warnings? Or that Microsoft is
not exactly particularly devoted to improving security of their
products and protecting their customers?


I hoped to stir some shit up, perhaps give the guys over at
secure () microsoft com a bit of a kick in the nuts as there was a time
that they were making at least a little progress.  I was hoping to
draw enough attention to this issue that perhaps someone from one of
the major banks will one day sit down and correlate the connection
between vulnerabilities such as this and losses due to fraud.  The
only way that any vendor is going to be forced to actually care about
security and actually care about users is when those users mean lots
of $$$ to them.


There just might be some hope . . . check out this white paper from PWC 
on "Integrity-Driven Performance."
http://www.cfodirect.com/cfopublic.nsf/f19696b6432afb8b8525690a000c9f67/86a39deb761f514d85256e3f00641442/$FILE/PWC_GRC_WP.pdf

(URL might wrap).  You can get it from Google if you search on 
pwc_grc_wp.pdf . . .

Cheers,

/g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: