Re: [SCADASEC] 11. Re: SCADA Security - Software fee's

[Smoking Gun <pentesterkunt () gmail com>]

On Mon, Feb 23, 2009 at 10:26 AM, Michael Krymson <krymson () gmail com> wrote:
> On Mon, Feb 23, 2009 at 8:57 AM, Smoking Gun <pentesterkunt () gmail com>
> wrote:
> >
> Blah blah gross personal speculation blah...
>
> At any rate, if CEO Cloe decides to hire a pen-tester for $1,000 and gets
> back a scan with some dumpy reports on it (sorry, it's not a SmokingGun
> report that shakes the ground and makes angels weep), where is the real
> breakdown here? Did she not get something in return? Was she underpaying and
> thus getting Crazy Eddie crap? Was her expectation skewed? Or maybe is her
> resultant declaration that her company is fully secure after that scan
> ludicrous?


The real breakdown here comes from Cloe soliciting the services of someone
who is labeling themselves an expert. This whole "Walmart" style penetration
tester in a box theme being promoted by underclued individuals and marketed
to the industry is devaluing the work many have worked hard to perfect. Many
have given countless hours, codes, write-ups, seminars you name it. There is
nothing wrong with making a euro, dollar, baht, don't mistake this but when
there are mission critical applications and institutions at hand, that buck
should take a backseat for the security of lives - or did you miss the subject
portion of SCADA Security.


-- 
Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/