Full Disclosure mailing list archives
Re: [SCADASEC] 11. Re: SCADA Security - Software fee's
From: Michael Krymson <krymson () gmail com>
Date: Mon, 23 Feb 2009 09:26:05 -0600
On Mon, Feb 23, 2009 at 8:57 AM, Smoking Gun <pentesterkunt () gmail com>wrote:
On Sat, Feb 21, 2009 at 9:30 PM, <Valdis.Kletnieks () vt edu> wrote:On Fri, 20 Feb 2009 09:24:29 EST, Smoking Gun said:Ironically, your own quote"company"quote offered penetration testing services at the insane pricing scheme of "we'll pentest0r joo for free and if we find something you can pay us to find other holes!".And how, exactly, is that an "insane" pricing scheme? If you think about it for a bit, it actually makes quite a bit of sense - Snosoft needs toprovethey're in fact good enough to be able to find the holes you're payingthemto find, or it doesn't cost anything. That *sure* as hell beats paying $100K for a pen test, and then findingoutthat you hired a bunch of asswipes who can't find holes.Valdis, do you speak mainly to see your own threads. You seem to answer hundreds of posts and the ratio of worthwhile posts to you rambling is a tad bit insane. For starters, academia is extremely different from the business world where SOX, GLBA and other regulatory controls weigh heavy. Sadly you having to follow EDUCAUSE should know better than to make that sort of comment which makes me wonder as to whether or not at this point you simply like feeding trolls or simply respond to see your own writings.
Blah blah blah...
Once upon a time I lived in the great city of New York. At the time there was a business called "Crazy Eddie" and I remember the commercial, the actor in the commercial and the slogan: "Crazy Eddie his prices are INSANE!" followed by "Crazy Eddie he's practically giving it all away" The issue with Crazy Eddie was, he was committing fraud as should be the case with reckless so called security experts who come up with insane ideas. http://en.wikipedia.org/wiki/Crazy_Eddie The issue with this business practice is it almost always leads to a a customer being delivered a shoddy security report with the customer believing that a "scan here and a scan there" will show them the problems in their infrastructure. Any tool that can be used can glean a potential issue with anything from A-to-Z which can then be used to show some form of "false" issue. You may get those companies who would believe "Oh well if that's my only problem, here is your $1,000.00 thanks Mr. Ethical Hacker!" False positive mitigated, issues still exists, compromise occurs and now "real life" security "experts" are given a black eye due to the information security whore idiots such as Simon and the rest of his flunkies at SNOSoft.
You've taken an argument above that I think every security researcher on this list and beyond can agree with. That includes Valdis and Snosoft, I'm sure. So, what are you arguing again? I understand your point, but not really sure why you're bothering preaching to the choir.
Do you run a simple vulnerability scanner at Virginia Tech and call it a day I would hope not for your students sake. I'm sure people in Ambler Johnston or Shanks would be pretty pissed to see your level of due care Valdis. Security is a lot more than plucking a tool off of Insecure's website; aiming it an an IP and calling it a day. For starters most large companies have their webservers and much of that infrastructure (the forward facing infrastructure) completely segregated. So what will a moronic "vulnerability" assessment for $1,000.00 gain me outside of soupy snake oil "take the money and run" Crazy Eddie scams.
Blah blah gross personal speculation blah... At any rate, if CEO Cloe decides to hire a pen-tester for $1,000 and gets back a scan with some dumpy reports on it (sorry, it's not a SmokingGun report that shakes the ground and makes angels weep), where is the real breakdown here? Did she not get something in return? Was she underpaying and thus getting Crazy Eddie crap? Was her expectation skewed? Or maybe is her resultant declaration that her company is fully secure after that scan ludicrous? Maybe I'm missing your point. If so, please succinctly state it, without the rhetoric and analogies. Then tell me (or us if you prefer a pulpit) how that applies to your inquisition of Snosoft or your denouncement of Valdis. If you're just being angry and need a hug, maybe we can hold hands and share a few online Team Fortress runs together? It can be a moment of salvation for both of us!
- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Smoking Gun (Feb 20)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Adriel T. Desautels (Feb 20)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Smoking Gun (Feb 20)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Valdis . Kletnieks (Feb 21)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Smoking Gun (Feb 23)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Michael Krymson (Feb 23)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Smoking Gun (Feb 23)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Smoking Gun (Feb 23)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Adriel T. Desautels (Feb 20)
- <Possible follow-ups>
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's bobby . mugabe (Feb 22)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's Michael Krymson (Feb 23)
- Re: [SCADASEC] 11. Re: SCADA Security - Software fee's bobby . mugabe (Feb 23)