Re: [Professional IT Security Providers - Exposed] QuietMove ( D - )

["Andre Gironda" <andreg () gmail com>]

On Dec 31, 2007 2:13 PM, secreview <secreview () hushmail com> wrote:
> Not sure about our readers, but to us at Secreview that hardly
> makes Adam an IT Security Expert.
>
> But wait, now we have a discrepancy...

Pardon me, but who is this?  "secreview"?  Who is behind this email
address?  If you don't identify yourself then I assume that this
entire thread is some sort of vengeance play.

> According to the QuietMove website, Adam "has over 14 years of experience in
> information security, software, and product R&D with 8 years being dedicated
> solely to security." His QuietMove bio goes on to say "Adam's particular
> talents include penetration testing of web and binary applications,
> networks, systems, and SCADA, "social engineering" and physical penetration
> of facilities, and in developing professional services offerings."
>
> This just doesn't add up.

I can vouch for Adam's 14 years of experience and then some.  When I
met Adam in 1992, he already had a strong command of Unix security.
He was an administrator (1 of 4 total over 7 years) of Unphamiliar
Territories (UPT), a vulnerability research BBS that ran from 1989 -
1996.  It was a prominent place for information about vulnerability
research.  Many held it in higher regard than Phrack magazine or any
leading website/magazine during that time period.

Sites such as PullThePlug, HackThisSite, etc all borrowed ideas from
UPT, and the code was re-used and made available in Phrack magazine as
well as integrated into the Linux kernel or features thereof.  UPT was
about 5-6 years ahead of the NSA before they released SELinux and 7-8
years ahead of projects such as GRSecurity.  Anyone making such an
enormous contribution to this sort of project has certainly provided a
greater service to our industry than a "secreview"/company-bashing
organization such as yourself.

> Anyway, remember we didn't set out to bash anyone here

Well then you should read your email before you hit the "send" button.

> but Adam/QuietMove
> put himself/themselves in the line of fire. QuietMove appears to be a very
> small and disorganized shop. Their website is half-assed and incomplete and
> we can't say anything better about their talent profile. We suggest that
> QuietMove complete their website and review their talent profile, then we'll
> set out to do another review and see if they score better. As of right now,
> we can't give them more than a D-. We'll keep an eye on their website and
> redo this review if they ever fix their issues.

Many small businesses such as QuietMove have a hard enough time
staying alive in this industry.  I suggest you "pick on someone your
own size" even if you have a legitimate problem with QuietMove or
Adam.

Compared to the other companies that you mentioned (Accuvant, IBM/ISS,
Pegasus), QuietMove will certainly provide a much more friendly
service environment for companies to work in.  I would put my
recommendation of quality on the work QuietMove does as A+.  There are
few PCI ASV's or penetration testing companies that I would find any
value in -- and QuietMove exceeds my expectations in this area.

Cheers,
Andre

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/