Re: [SCADASEC] 11. Re: SCADA Security - Software fee's

["Adriel T. Desautels" <ad_lists () netragard com>]

Hi Loki


On Feb 20, 2009, at 9:24 AM, Smoking Gun wrote:

> On Thu, Feb 19, 2009 at 7:15 PM, simon_lists  
> <simon_lists () snosoft com> wrote:
>
> > Joshua,
> >       I understand why you wrote what you did but you're wrong. Let  
> > me
> > explain...
> >
> >       Today the security industry is a confused and immature  
> > place.  Most
> > vendors offer half assed services that sell for half assed prices.
>
> Ironically, your own quote"company"quote offered penetration testing
> services at the insane pricing scheme of "we'll pentest0r joo for free
> and if we find something you can pay us to find other holes!".
>
>
> > They advertise those services as if they are high quality, when they
> > are not.  Few vendors offer high quality services and their prices  
> > are
> > higher than the half-assed. The problem is that the consumer can't
> > tell the difference between the half assed service and the high
> > quality service because of how the crap service is marketed.  So, to
> > the uneducated both look like a ferrari, one is a kit-car. Of course
> > the uneducated people are going to choose the lower quality service.
>
> Gullibility is nothing new nor is FUD. See my prior response in the
> paragraph above.
>
> >       That said, its our experience as a high quality vendor that  
> > once we
> > prove / demonstrate the difference in our services when compared to
> > the half-assed that customers are willing to pay for real quality.
>
> Quality vendors in the security industry are a dime a dozen. It's  
> usually
> the uninformed "security monkeys" damaging the reputations of these
> companies. When I think of "quality vendors", I think of those who do
> have a real world comprehension of security outside of ramblings on a
> mailing list. Real security professionals rarely have the time to  
> shoot
> off dozens of email ramblings on a daily basis - you know the kind  
> like
> your protege Kevin (don't call him black) Finestere writes. So let's  
> have
> a manager's view of your purported "quality services" as only you seem
> to think you can offer it.
>
> On your page it states: "Statistics show that companies who do not
> invest in good I.T. security will fall victim to at least one serious
> compromise." Can you show us where this statement was derived from;
> anyone can have fun with numbers, statistics mean little; how have you
> come to this conclusion, how many clients do you supposedly have or
> have studied, to draw this conclusion since you make no reference to
> your source of information.
>
> Netragard: "Most of these companies feel that they can not justify the
> cost of maintaining strong I.T. security for their business." Woe is  
> me in
> my  understanding of how a company's feeling. Do they feel  
> (companies)?
> How do you know, how many companies have you talked to? An individual
> in a company is no indicator of the overall posture of a company.
>
> Netragard: "The reality is that the cost of good I.T. security is  
> equal to a
> fraction of the cost of a single successful compromise." The harsher
> reality is, you can never judge the reasoning behind a company's staff
> to not implement the appropriate controls. How many large company's
> have you worked for in your lifetime - and by large I mean in the  
> 1,000's.
> There are plenty of obstacles in a company which are preventative to
> a strong security posture. There are facts like "implementing this new
> technology will cost us in the millions via way of training, it will  
> disaffect
> legacy systems, clients may jump ship out of frustration therefore for
> this one technology, we may have to scrap it and put in place for it
> a compensatory control" Perhaps you should learn about complexity
> management
>
>
> > Its just a matter of arming customers with information so that they
> > can make the decision thats right for them. In most cases our
> > customers are interested in real security, they can't afford a
> > compromise, so they end up working with us. In some cases the  
> > customer
> > just wants a check in the box, those customers go with the cheaper
> > price.
>
> Your comments and those of your fellow "security bandits" humor
> me. The mechanisms in which you correlate mom and pop like
> businesses with large corporations is amazing. You should be in
> sales.
>
> >       If customers didn't care about quality and they wanted the  
> > cheap
> > service then we wouldn't be in business. Right now, we're a lot more
> > busy than most security firms and the load is only increasing. So you
> > tell me, do people care about quality? Our customers find us because
> > of the work we do for other people, quality is our trademark.
>
> Well pitched snake oil sounding paragraph.
>
> >       And don't insult the consumers by saying that they want the  
> > cheap
> > service, people aren't as stupid as you seem to think.
>
> There ARE actually people who are that stupid and the blind leading
> the blind is a sad yet funny sight. So as I asked your friend Kevin,
> you know the "don't call me black - I don't even work in the security
> industry but sure answer a ton of questions in the field I don't even
> work in" Kevin, how much experience do you *really* have outside
> of being legends in your own mind.
>
> As I sift through years of mailing list threads, I've seen nothing to
> lead me to believe you're any more of an expert than a script kiddie
> pitching tools on a flash based website and calling yourself a
> quote"security expert"quote". The irony of Kevin's prior statement
> speaks for itself "Just so you know I do have a day job, 9-6 that has
> nothing to do with security." Stop the press right there, isn't that
> akin to me giving out medical advice on say a medical mailing lists
> without even working in the medical industry? How, better yet why
> should I take him, you or your company serious. For starters, it's
> sounding more like you have an IRC based company, your workers
> (who don't work in the security field as Kevin stated) work a 9-6
> elsewhere and have personal issues of race when questioned about
> the validity of their status in the industry.
>
> On prior matters of your stated "coward" comment, it has little
> to do with being a coward and more of dealing with due diligence.
> I won't post my identity not to protect myself, but the company
> I work for. I don't need ping -f like DoS attacks coming into my
> infrastructure because you and your protege Kevin feel slighted
> about me questioning your competence in the industry. For me,
> I know those who need to be known, the security has always
> been a small industry, and you sir, you're not even on my level
> technologically, let alone on the level you're portraying yourself
> to be on these mailing lists. Anyone can go back re-read the
> numerous posts you clowns (Kevin, you, Adriel *Netragard*)
> make and ascertain this to be factual - you have little real
> world skills in this industry, proceed with caution.
>
> There is a snippet of a song perhaps Kevin can relate to, this
> I will throw out there since he has an internal racial inferiority
> complex: "We aint no haters like you... Bow Down to some
> nigga's that's greater than you" (Westside Connection) Ending
> on that note, thank you for playing the game with me and
> enforcing the facts we already know, you guys are all talk
> nothing more and nothing less. Definitely not to be taken
> serious.
>
> PS, say hello to Loki for me will ya.
>
>
> > On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote:
> >
> > > Oh enough with the holier than thou attitude, Kevin !!!You work for
> > > money
> > > just like any vendor, though the product you vend is a bit  
> > > different.
> > > Let's say you were offered 750$ an hour for penetrating a community
> > > college
> > > network (they got a nice donation for that) or 200$ an hour for
> > > penetrating
> > > a local utility. Would you "lose" 500$ (time the hours) just to be
> > > more
> > > "important"? Ethical? The mighty dollar is also effecting your
> > > decisions.
> > > You call for the vendors to take a hit for a few licenses. Are you
> > > willing
> > > to do pro-bono pen-testing just to help a vendor improve his  
> > > product,
> > > without getting the publicity for it? No, right? So why do you
> > > expect them
> > > to act differently?
> > > Today's post modern market is geared towards minimum price. People
> > > are not
> > > even expecting quality anymore. Regulation can help, even a lot, so
> > > you need
> > > decent politics to push for effective regulation. Pushing the full
> > > blame at
> > > the vendors is just kicking the nearest object (and yourself, Kevin,
> > > since
> > > you are also a vendor).
> > >
> > > Joshua M.
> > >
> > > On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) <
> > > kf_lists () digitalmunition com> wrote:
> > >
> > > > Thats exactly my point Larry.. there isn't any incentive. No
> > > > regulation , no worries.
> > > >
> > > > I'm sure Citect could have easily been driven from the market and
> > > > based on the wild claims I heard during my disclosure process  
> > > > perhaps
> > > > they were pretty close to it.
> > > >
> > > > Besides lack of incentive its sooooooooooo much easier to chastise
> > > > the
> > > > big meanies that publish security information and react on an as
> > > > needed basis, rather than actually doing something that may impact
> > > > the
> > > > "bottom line" all the while actually improving the status quo.
> > > >
> > > > /me wonders when pride and devotion to ones work and craft gave way
> > > > to
> > > > making the all mighty dollar.
> > > > -KF
> > > >
> > > >
> > > > On Feb 19, 2009, at 1:56 PM, ljknews wrote:
> > > > > Speaking from the viewpoint of a software vendor, let me ask
> > > > > where the incentive is to care about such things ?  Where are
> > > > > the examples of prominent products being driven from the market
> > > > > due to a lack of software quality ?
> > > > > --
> > > > > Larry Kilgallen
> > > > > _______________________________________________
> > > > > To unsubscribe from this mailing list, please visit:
> > > > > http://news.infracritical.com/mailman/listinfo/scadasec
> > > > >
> > > > > To review our usage policy, please visit:
> > > > > http://www.infracritical.com/usage-scadasec.html
> > > >
> > > > _______________________________________________
> > > > To unsubscribe from this mailing list, please visit:
> > > > http://news.infracritical.com/mailman/listinfo/scadasec
> > > >
> > > > To review our usage policy, please visit:
> > > > http://www.infracritical.com/usage-scadasec.html
> > > _______________________________________________
> > > To unsubscribe from this mailing list, please visit:
> > > http://news.infracritical.com/mailman/listinfo/scadasec
> > >
> > > To review our usage policy, please visit:
> > > http://www.infracritical.com/usage-scadasec.html
> >
> >
> >
> >       Simon Smith
> >       simon_lists () snosoft com
> >        --------------------------------------
> >
> >       Subscribe to our blog
> >        http://snosoft.blogspot.com
> >
> >
> >
> >
> > _______________________________________________
> > To unsubscribe from this mailing list, please visit:
> > http://news.infracritical.com/mailman/listinfo/scadasec
> >
> > To review our usage policy, please visit:
> > http://www.infracritical.com/usage-scadasec.html
>
>
>
> -- 
> Making no mistakes is what establishes the certainty of victory, for
> it means conquering an enemy that is already defeated. - Sun Tzu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



        Adriel T. Desautels
        ad_lists () netragard com
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/