Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F )

["Jerry dePriest" <jerryde () mc net>]

nice to see some have mlk off and nothing better to do
----- Original Message ----- 
From: "SecReview" <secreview () hushmail com>
To: <nate.mcfeters () gmail com>
Cc: <full-disclosure () lists grok org uk>
Sent: Monday, January 21, 2008 10:40 AM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] 
PlanNetGroup ( F )


> Nate,
>    Your email was constructive and much appreciated. We'll go over
> the review a second time and incorporate some of your suggestions.
> Thank you for taking the time to provide so much good feedback.
>
>
>
> On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters
> <nate.mcfeters () gmail com> wrote:
> > SecReview,
> > My 2 cents on your review, although I will try to be nicer then
> > you were to
> > the reviewee.  I'm completely skipping your section where you
> > talked to the
> > non-technical person, that's not even fair... sorta like reviewing
> > a
> > consulting group based on their website alone... oh shit, I forgot
> > you guys
> > do that too.
> >
> > Your comments on Question 1:
> >
> > We're not impressed with Michael's answer. First off we have no
> > idea what
> > the hell this means: "Depending on time and availability, we will
> > work on
> > finding any new vulnerability if we generate an anomaly of
> > interest." And we
> > totally disagree with "Currently, the focus is primarily on
> > discovering new
> > Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
> > on,
> > compared to Oracle." In fact, whatever is being described above
> > doesn't
> > sound anything like a vulnerability assessment, we're not sure
> > what kind of
> > service it is.
> >
> > The first portion "Depending on time and availability..." I don't
> > understand
> > what your confusion is.  Basically the responder is saying that
> > he's willing
> > to do what the client will pay him for.  Consulting is not a
> > cookie-cutter
> > gig, so sometimes clients want you to spend 5 minutes running
> > scans, some
> > want you to fuzz a proprietary protocol for as long as it takes.
> > I
> > personally don't think either end of the extreme is of value to
> > the client,
> > but you can hardly fault the respondent for delivering what the
> > client asks
> > for.
> >
> > The second, I don't agree the overall focus is on Oracle, but if
> > you read
> > the new (ZDnet, eWeek), or if you follow the conferences (HITB
> > Malaysia 2007
> > great Oracle presnetation), then you will know that Oracle is
> > catching a bit
> > of the limelight.  Besides that, I don't think you are qualified
> > to say what
> > exactly a vulnerability assessment is... if the client is paying
> > you to
> > assess their database servers, then that is a vulnerability
> > assessment of
> > their database servers and that is what the work is.  Different
> > clients have
> > different needs, and their are different specialty consulting
> > groups to help
> > meet those... can hardly fault him if his specialty is databases.
> >
> > Your Comments on Question 2:
> >
> > > > trying to be cute with your "Again, carefully!" bullshit?
> >
> > Come on guys... imagine you get called by a group of people asking
> > to assess
> > your company and you don't know who they are, wouldn't you try to
> > befriend
> > them if possible?  A little professionalism would go a long way to
> > improving
> > your reviews.
> >
> > > > A penetration test is not "Anything Goes!"
> >
> > Umm... sorry guys, there is plenty of cause for performing a
> > Denial of
> > Service test.  Keep in mind that availability is a large portion
> > of what
> > security is about.  I don't think he's talking about using a bot
> > net to try
> > to take them down.
> >
> > > > it doesn't sound like Michael knows how to perform IDS evasion
> > testing.
> > Using a proxy is >>not going to help anyone evade detection, it
> > will just
> > help them to hide their IP address.
> >
> > Hmm... well, you're partially right.  I suppose that if he had
> > enough proxy
> > servers and kept his scans very focused, he "might" be able to get
> > around an
> > IDS.  In any case, not all clients want IDS evasion performed...
> > for
> > instance, they may want to test their incident response, or, they
> > may allow
> > the consulting group through the IPS/IDS in an effort to save on
> > time and
> > costs.
> >
> > Your response to question 3:
> >
> > > > From the answer above, it looks like they like the same tools as
> > most
> > people. That said, >>we've seen no proof of talent from anyone at
> > PlanNetGroup yet. So we're near certain that >>their deliverables
> > ARE the
> > product of automation.
> >
> > If they are the same tools that everyone use, how can you knock
> > them for
> > that?  It seems to me that a group starts with a score of 0 in
> > your book,
> > and then if they impress you they get points.  If you don't ask
> > the right
> > questions, I don't see how they could impress you.  I concede, it
> > is
> > certainly possible that they have no skills, and that they use
> > automation,
> > but I don't think it is fair to say that at this point of the
> > review.
> >
> > Your response to question 4:
> >
> > > > Woha, it takes too much time to create a fake deliverable? Well
> > that's one
> > way to get out >>of it, but we don't buy it. Either way, at this
> > point we
> > don't feel that a sample report would >>help this review, we've
> > seen nothing
> > impressive yet.
> >
> > Ever tried to do so?  It does take awhile, and it is risky.  If
> > you miss
> > sanitization and release results of one of your clients you could
> > get sued.
> > Perhaps given the context of the investigation he didn't want to
> > give you
> > an old report and it would take to long and too much of his
> > billable time to
> > actually get this to you.  That's not unreasonable.  You aren't
> > paying him.
> > Again with the comments of nothing impressive yet.  You are
> > asking generic
> > questions, how could anything be impressive?  It's a phone call or
> > email and
> > you are asking questions that almost all consulting groups should
> > have
> > relatively the same answers to... I see nothing impressive in that
> > at all.
> >
> > Your response to question 5:
> >
> > > > It sounds like Michael has a difficult time sticking to the
> > scope of work.
> > Any time anyone >>performs Distributed Metastasis it should be
> > built into a
> > scope of work first. If it is not, >>then do not perform the
> > testing because
> > it is invasive and will get you into trouble. This is >>a big
> > negative point
> > in our eyes as its critical that providers are able to adhere to
> > the scope
> > > > of work for each specific engagement.
> >
> > I actually agree with most of this, but then again, as long as he
> > doesn't go
> > over the clients budgetary and time constraints and is providing
> > the
> > customer with value, I have no problem with going outside of scope
> > as long
> > as the client does not.  Also, I don't know that it is a big
> > negative as you
> > say.
> >
> > Your response to question 6:
> >
> > > > It sounds like Michael is a corporate security guy and has no
> > experience
> > as a hacker.
> > Bit of a blanket statement I'd say, but OK, let's assume you are
> > correct
> > > > Certifications hold little to no water when it comes to real IT
> > security.
> > Agreed, but you are totally putting words into his mouth.  He
> > basically says
> > the same thing by calling the CISSP a definition test.  Why do
> > that?  Most
> > people in security have the certs... most realize they are worth
> > nothing and
> > don't really test tech knowledge, but instead test business
> > knowledge.
> > > > What does hold water is experience and from what we can tell,
> > Michael has
> > no real hacker >>experience.
> > Please define "no real hacker experience".  If you mean he isn't
> > 31337 like
> > you guys, then OK.  BTW, most clients aren't just paying for "real
> > hacker
> > experience" they're also paying for the business side, i.e. what
> > is my risk,
> > how can I mitigate, etc.  A good team has both people.
> >
> > On your response to question 7:
> >
> > Do you resell third party technologies?
> >
> > > > We don't think that it is a good idea that Professional IT
> > Security
> > Providers sell third party >>technologies. Specifically because
> > they become
> > biased towards a specific technology and >>push that technology as
> > a method
> > of remediation when better methods might already exist.
> > Agreed.  But that said, what if your third-party tech. has nothing
> > to do
> > with the main thrust of your consulting work?  The question is
> > pretty vague.
> >
> > On your response to question 8 and 9:
> >
> > Ok, I'll buy that you have cookie cutter definitions from google
> > of those
> > flaws and that his definitions don't fit.  I'll even buy that you
> > make a
> > good point when you say EIP overwrite is not the only method of
> > exploitation
> > (especially these days), but I'm wondering what you expected.
> > Should he
> > have rattled on and on about how to exploit b0f in an XP SP 2
> > environment?
> > Talk to you at length about DEP?  Bit ridiculous expectations.
> > Hell, while
> > your at it, why didn't you ask him about integer overflows?  Off-
> > by
> > one/few/many exploits?  Heap overflows?  Why not have him recite
> > the Heap
> > Fung Sheui method to you?  What about double free flaws, dangling
> > pointers,
> > etc. etc. etc.  Let's be serious here, unless you are contracted
> > by
> > Microsoft or another major software vendor, you probably don't pay
> > the bills
> > by doing your own research, so... does this really matter?  Sure,
> > it's
> > great... I'd like to know that consultants I was paying top dollar
> > to knew
> > about this, but if he comes on site and spends 3 weeks trying to
> > find an
> > integer overflow, I'm going to be pissed.
> >
> > Disclaimer:
> > I'm not a client of PlanNetGroup.  Also, I don't think what you
> > are trying
> > to do is a terrible thing, there's lots of snake oil being sold in
> > the
> > commoditized security market out there, but I disapprove of your
> > professionalism and your methods.  Also, I believe the list is
> > still waiting
> > for you to credentialize yourself/yourselves.  That still hasn't
> > seem to be
> > grasped here.  Look, if you're someone people respect, then maybe
> > people
> > will buy your reviews, but somehow I doubt that is the case.  I'm
> > basing
> > that view off of the content of your website and the fact that you
> > still
> > have not credentialized yourself as the list called for so long
> > ago.  Do
> > that, and I will re-review my review of your reviews.
> >
> > Nate
> >
> > On Jan 20, 2008 7:17 PM, secreview <secreview () hushmail com> wrote:
> >
> > > The PlanNetGroup is a Professional IT Security Services Provider
> > located
> > > at http://www.plannetgroup.com. <http://www.plannetgroup.com/>
> > One of our
> > > readers requested that we perform a review of the PlanNetGroup,
> > so here it
> > > is. It is important to state that there isn't all that much
> > information
> > > available on the web about the PlanNetGroup, so this review is
> > based mostly
> > > on the interviews that we performed.
> > >
> > > The PlanNetGroup was founded by Jim Mazotas of Ohio USA
> > according to this Affirmative
> > > Action Verification Form<http://odnapps01.odn.state.oh.us/das-
> > eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b
> > 8525735d00607a6d?OpenDocument>.
> > > We called Mr. Succotash and spoke with him for about an hour
> > about his
> > > company, here's what he had to say.
> > >
> > > When we spoke with Jim Mazotas we asked him how he defined a
> > Penetration
> > > Test. His answer wasn't really an answer at all but rather was a
> > bunch of
> > > technical words strung into sentences that made no sense. Here
> > is what he
> > > said for the most part. We can't give you an exact quote because
> > he
> > > requested that some of the information related to clients, etc
> > be kept
> > > confidential.
> > >
> > > "We get to target object, where we go with that is based upon
> > the client's
> > > comfort level. We grab banner information, backend support
> > information, and
> > > other kinds of information. During a penetration test we most
> > will not
> > > penetrate. Most mid level companies will not want penetration."
> > – Sanitized
> > > Quote from Jim
> > >
> > > Not only do we not understand what Jim said, but he'd be better
> > off saying
> > > "I don't know" next time instead of looking like an idiot and
> > making up an
> > > answer. This goes for all of you people that get asked technical
> > questions.
> > > If you say "I don't know" at least you won't look like a fool.
> > Anyway.
> > > When we asked Jim to define a Vulnerability Assessment, we
> > became even
> > > more flustered. Again his answer was like a politician trying to
> > evade a
> > > question with a bunch of nonsensical noise. Again, we've
> > sanitized this at
> > > Jim's request.
> > >
> > > " A Vulnerability Assessment is more a lab based environment
> > type test.
> > > Analyze servers and all nodes that are a true vital asset to the
> > company and
> > > assess the vulnerability In a very planned out manner. This is
> > done in a lab
> > > based environment." – Sanitized Quote from Jim
> > >
> > > Again, next time say "I don't know" because now you look like an
> > idiot.
> > > Nobody expects you to know everything, but when you make shit up
> > and try to
> > > fool people, its insulting. To be fair to Jim, he did say that
> > he was not
> > > technical, but we didn't get technical here. As the founder of
> > the business
> > > he should at least know what his different service boundaries
> > are and how
> > > his services are defined.
> > >
> > > When we asked Jim if his team performed Vulnerability Research
> > and
> > > Development, he said that they did not have the time because
> > they were
> > > "fully booked". His primary customer base includes state
> > government and a
> > > few private sector businesses. Unfortunately, we can't disclose
> > who his
> > > exact customers are. He did say that he provides Network
> > Management Services
> > > and Wireless Management services for many of his clients. Sounds
> > more IT
> > > related than Professional Security related.
> > >
> > > When we finished with our call to Jim we asked him if he'd be
> > kind enough
> > > to give us contact information for someone more technical in his
> > company. He
> > > told us that he'd be happy to arrange a call with someone. At
> > the end, we
> > > didn't end up calling anyone but instead shot a few emails back
> > and fourth.
> > > The rest of this review is based on those emails.
> > >
> > > We decided to ask the same questions to Jim's technical expert.
> > We know
> > > who his expert is, but we assume that he wants to stay anonymous
> > because he
> > > signed his email with "Jason Bourne". So for the sake of this
> > interview
> > > we'll call him Michael. Here's the email from Michael:
> > >
> > > -) How do you perform your vulnerability assessments?
> > >
> > > "* Carefully! :) Typically, we will work with the customer to
> > define the
> > > scope of the assessment; limitations to OS, Network Equipment,
> > Web
> > > Server, etc. This could be a combination of components
> > (depending on
> > > scope), the real goal ultimately with this is to assess the
> > patching
> > > effort of a customer. Depending on time and availability, we
> > will work
> > > on finding any new vulnerability if we generate an anomaly of
> > interest.
> > > Currently, the focus is primarily on discovering new Oracle
> > > vulnerabilities - as MS SQL 2K5 is more difficult to beat on,
> > compared
> > > to Oracle. Within vulnerability assessments, we disregard any
> > attempts
> > > to evade IDS, IPS, etc."
> > >
> > > We're not impressed with Michael's answer. First off we have no
> > idea what
> > > the hell this means: "Depending on time and availability, we
> > will work on
> > > finding any new vulnerability if we generate an anomaly of
> > interest." And we
> > > totally disagree with "Currently, the focus is primarily on
> > discovering new
> > > Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
> > on,
> > > compared to Oracle." In fact, whatever is being described above
> > doesn't
> > > sound anything like a vulnerability assessment, we're not sure
> > what kind of
> > > service it is.
> > >
> > > -) How do you perform your penetration testing?
> > >
> > > * Again, carefully! The definition that I use with customers is -
> >
> > > Anything Goes! In addition to attempting to locate missing
> > patches,
> > > vulnerable IOS's, applications, etc - we will perform an
> > assortment of
> > > timed attacks, attempt to spoof trusted connections, or even
> > perform
> > > social engineering - like dropping a few pre-trojan'd usb data
> > sticks
> > > outside of a customer service area, a data center, etc. The only
> > thing
> > > that we do not perform, typically, is denial of service style or
> > type of
> > > attacks. We have had only one customer that we felt was in the
> > position
> > > to handle such a test and it was performed against their
> > disaster
> > > recovery infrastructure, not production."
> > >
> > > Michael, why are you trying to be cute with your "Again,
> > carefully!"
> > > bullshit? A penetration test is not "Anything Goes!", if that's
> > how you
> > > define it then I don't want you anywhere near any of my
> > networks. And why
> > > the hell would you perform a Denial of Service attack against
> > anyone?
> > > Everybody can be knocked off line if you fill up their pipe. You
> > scare us
> > > man!
> > >
> > >
> > > -) How do you perform evasive IDS testing?
> > >
> > > "* We use a series of proxy servers to attempt to perform basic
> > hacking
> > > techniques; port scans, blatant attacks, etc. We are typically
> > going to
> > > look for TCP resets as a means to evaluate if IDS is present and
> > > possibly to find if IDS performs blocking activity. Often times,
> > if a
> > > system in a trusted DMZ can be compromised and used as a proxy
> > > (exploiting a relationship or rule within a firewall) or an SSH,
> > SSL,
> > > encrypted tunnel can be established to a server behind the IDS
> > sensor
> > > than we can successfully pull off an attack without the
> > customers
> > > security staff even knowing."
> > >
> > > It doesn't sound like Michael knows how to perform IDS evasion
> > testing.
> > > Using a proxy is not going to help anyone evade detection, it
> > will just help
> > > them to hide their IP address. If the target network or
> > application is being
> > > protected by an IPS device, then the IP that they are attacking
> > from will be
> > > shunned just the same. So, we understand that the PlanNetGroup's
> > expert
> > > hasn't a clue as to how to evade IDS. (Michael, did you get your
> > answer from
> > > Google?)
> > >
> > > -) What tools do you favor?
> > >
> > > "* We really do not favor any tools. The focus of our effort
> > (Assuming we
> > > are performing a pen-test or assessment) is to analyze a
> > situation and
> > > choose the best tool for the end result or compromise. I will
> > use commercial
> > > applications, such as AppScan, WebInspect, even ISS. There are
> > however
> > > plenty of freeware, low-cost tools that we use; nmap, nessus,
> > metasploit -
> > > ultimately, I find that an internet browser and a telnet prompt
> > will suffice
> > > for much of the testing. It ultimately gets back to interpreting
> > the results
> > > and adjusting the testing accordingly. We make it a point to try
> > out new
> > > freeware tools on every assignment. The more tools that we know
> > of and can
> > > test with opens our options if in the future a situation best
> > suited for a
> > > tool presents itself."
> > >
> > > Every business that delivers security services has a set of
> > tools that
> > > they use. These tools change from business to business, but
> > common ones are
> > > nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From
> > the answer
> > > above, it looks like they like the same tools as most people.
> > That said,
> > > we've seen no proof of talent from anyone at PlanNetGroup yet.
> > So we're near
> > > certain that their deliverables ARE the product of automation.
> > >
> > > -) Can you provide us with sample deliverables? (sanitized)
> > >
> > > "* No, too much time. Even to sanitize creates an opportunity
> > for a
> > > liability in the event that a customer name is exposed ...
> > accidents do
> > > happen! I will say that we do not take dumps from applications
> > and
> > > regurgitations the information on paper. We limit our executive
> > summary to 6
> > > pages at most and attempt to keep the entire report limited to
> > 25 pages in
> > > total. Our goal with a deliverable is to get the precise
> > information to the
> > > key stake holders so that they can make a decision."
> > >
> > > Woha, it takes too much time to create a fake deliverable? Well
> > that's one
> > > way to get out of it, but we don't buy it. Either way, at this
> > point we
> > > don't feel that a sample report would help this review, we've
> > seen nothing
> > > impressive yet.
> > >
> > > -) Do you offer the option of performing Distributed Metastasis?
> > >
> > > "* No, not really. This is my decision as in a previous life I
> > got walked
> > > out of Bell Atlantic Mobile (Verizon Wireless) using this
> > technique when I
> > > compromised their Unix infrastructure by compromising the rlogin
> > function
> > > (on all Unix servers, across all data centers). There is no
> > substitute for
> > > experience, especially bad ones!"
> > >
> > > It sounds like Michael has a difficult time sticking to the
> > scope of work.
> > > Any time anyone performs Distributed Metastasis it should be
> > built into a
> > > scope of work first. If it is not, then do not perform the
> > testing because
> > > it is invasive and will get you into trouble. This is a big
> > negative point
> > > in our eyes as its critical that providers are able to adhere to
> > the scope
> > > of work for each specific engagement.
> > >
> > > -) What is your background with relation to information
> > security?
> > > "* Too long, too boring. Yeah got the CISSP (nice vocabulary
> > test), but
> > > had to as I worked for DOD. Got a number of Certifications (I
> > have a stack
> > > almost an inch thick and only get into them about once a year to
> > throw
> > > another couple on top of the previous ones - too much alphabet
> > soup for me,
> > > but bosses and customers like it. Spoke at a number of
> > > European conferences, but found too many people did not
> > understand a word
> > > I was talking about, so I got tired of that and quit that scene.
> > My outlook
> > > on security has changed, to the point that I will advise
> > customers of their
> > > risk, attempt to make it practical - but if they make a
> > conscious choice not
> > > to listen - I do not fret over it.?"
> > >
> > > It sounds like Michael is a corporate security guy and has no
> > experience
> > > as a hacker. Certifications hold little to no water when it
> > comes to real IT
> > > security. What does hold water is experience and from what we
> > can tell,
> > > Michael has no real hacker experience.
> > >
> > > -) Do you resell third party technologies?
> > >
> > > "* No, but kind of wished that we would. I think that it would
> > help with
> > > sales."
> > >
> > > We don't think that it is a good idea that Professional IT
> > Security
> > > Providers sell third party technologies. Specifically because
> > they become
> > > biased towards a specific technology and push that technology as
> > a method of
> > > remediation when better methods might already exist.
> > >
> > > -) Can you tell me why the EIP is important?
> > >
> > > "* The EIP controls an applications execution. If an attacker
> > can modify
> > > the EIP while it is being pushed on the stack then the attacker
> > *could*
> > > execute their own code and create a thread (aka. a buffer
> > overflow condition
> > > exists). I had a good refresher this past year at Blackhat with
> > a course run
> > > by Saumil Shah - he had an interesting buffer overflow
> > > for the Linked-In client."
> > >
> > > The EIP is the Instruction Pointer for the x86 architecture. The
> > purpose
> > > of the EIP is to point to the next instruction in a particular
> > code segment.
> > > If the EIP can be overwritten then the flow of control of an
> > application can
> > > be changed. In most cases this can lead to the execution of
> > arbitrary code
> > > on the targeted system. Hackers use this to penetrate vulnerable
> > systems.
> > > -) Can you define a format string exploit?
> > >
> > > "* A format string exploit leverages what is considered a
> > programming
> > > bug. If input is not sanitized, an attacker can perform calls to
> > the
> > > stack; read, write, etc without knowing details about the EIP."
> > >
> > > Unfortunately this answer isn't accurate or detailed enough as
> > almost all
> > > software vulnerabilities are the result of user input that is
> > not properly
> > > sanitized or validated. A format string condition occurs when a
> > user inserts
> > > a format token into a C based application and that input is not
> > properly
> > > sanitized. Hence why it is called a format string vulnerability.
> > When that
> > > input hits a function that performs formatting, such as printf()
> > the input
> > > is interpreted in accordance with the format tokens. Sometimes
> > this can be
> > > used to write arbitrary data to arbitrary memory locations. The
> > EIP isn't
> > > the only valuable memory location.
> > >
> > >
> > >
> > >
> > > If you've managed to get this far, then you've survived reading
> > Michael's
> > > answers to our questions. We're not going to spend much more
> > time writing
> > > this review because by now we've formed our opinion. We did take
> > a quick
> > > look at the PlanNetGroup's website and as with their people, we
> > were not the
> > > least bit impressed.
> > >
> > > Our opinion of the PlanNetGroup is that they'd have a hard time
> > hacking
> > > their way out of a wet paper bag. Their security expert is not
> > an expert by
> > > our standards, as he did not properly answer any of our
> > questions or help to
> > > define any of their services. We're pretty sure that the
> > PlanNetGroup could
> > > run nessus and offer basic vulnerability assessment services.
> > We're also
> > > pretty sure that they could offer IT services at some level. But
> > we'd hardly
> > > call them subject matter experts and wouldn't recommend their
> > services to
> > > anyone.
> > >
> > > If you are using the PlanNetGroup services and feel that we have
> > not given
> > > them a fair review then please comment on this post. We will
> > consider your
> > > comments. We have to say that Jim and Michael were both very
> > polite,
> > > friendly, and respectful, but we can't let their kind nature
> > impact our
> > > opinion of their service delivery capabilities. We think that
> > they should
> > > sit down and try to define their services properly. We also
> > think that they
> > > should hire an ethical hacker with real world experience if they
> > intend to
> > > protect anyone.
> > >
> > > Score Card (Click to Enlarge)
> > <http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS
> > QlSXs/s1600-h/96YV5X.jpeg>
> > > --
> > > Posted By secreview to Professional IT Security Providers -
> > Exposed<http://secreview.blogspot.com/2008/01/plannetgroup-
> > f.html>at 1/20/2008 04:21:00 PM
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> Regards,
>      The Secreview Team
>      http://secreview.blogspot.com
>
> --
> Love Graphic Design? Find a school near you. Click Now.
> http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
>      Professional IT Security Service Providers - Exposed
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/