Security Quotes

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>


(A bit off topic I realize, but a few quotes that stood out over the
last year or so on Bugtraq, Pen-Test and ISN.)


--

Sorry, I don't read .pdf files from CISSP people. - modify () attrition org

I find that standing outside the front door smoking a cig is an easy
way to get access to nearly any site.  Everyone assumes that you have
just "stepped outside for a smoke".  Hell, at a few places people even
take the time to hold the door for you.  Politeness is indeed a major
danger to security, and something to take advantage of in an overall
penetration test. - Drew Simonis (care227 () ATTGLOBAL NET)

Just to be completely clear on this issue. These are the same
customers you are refering to whome Microsoft thought would need MS
Bob and the Talking Paperclip? One thing is to give them enough rope
to hang themselves, but a boobietrapped thermonuclear weapon running
on a rand(time) countdown? Is that really wise? - Terje Bless
(link () TSS NO)

As one wise auditor once told me "there are those who have 20 years of
experience, and those who have one year of experience twenty times". -
Mark Williams (mdwilliams_44 () YAHOO COM)

I've completely abandoned SANS; they seem to be a pack of utter,
incurable, incompetant, unprofessional morons. They specifically
endorse and recommend sendmail and BIND, and refuse to listen to
discussions critical of these recommendations. That's enough, as far
as I'm concerned; anything that has the SANS name on it can be
ignored. - Bennett Todd (bet () RAHUL NET)

Mapping is best done with nessus, firewalk, ping, traceroute, and the
route servers for network and transport layer.  tcpdump, arp and
anti-sniff for ethernet/link layer. Nmap is fine for session.
Application, well, that's brute forcers, skriptz, whisker, and good
old fashioned kung-f00 with some genuine clue thrown in for good
measure. - batz (batsy () VAPOUR NET)

.. divided betwen people that know what they do and other people that
think they know cause they where tought and are certified. -
simonis () myself com

What exactly do you have against education? (besides the obvious
disdain for punctuation and proper spelling)  EVERYONE must learn the
skills we need to know in todays world.  I have yet to meet a person
who was thrust from the womb with a PDA and a laptop, ready to go.  
Your complaint regarding people who got "tought" (sic) is as foolish
as any I have heard. - dodger () 2600 com

"Today's piece of secure software is the subject of tomorrow's Bugtraq
posting."

YEAH RIGHT, and we all want our scan results to go through a third
party. sure.  Not a great idea folks.  Sorry, stick to the proven
modular opensource client/server scanners out there...that way, even
you GUI junkies can do it. - Oliver Petruzel
(oliverpetruzel () EMAIL COM)

I can say for sure that I would not want anyone who could not figure
out listserv (with it's AMPLE documentation) to either audit my
network or perform system forensics for me. - Alfred Huger
(ah () SECURITYFOCUS COM)

Regarding a bug in php-nuke: Yeah... but just say to me what can you
do with a passwd file? just nothing. The important file isn't passwd,
is /etc/shadow, right? and you get permission denied on that file...
IF you get it you'll need a supercomputer to crack md5 passwords. Just
my thoughts. /etc/passwd had problems in the past where crypted
passwords was stored in, but now that problem is no more. - Francisco
Burzi (NuKeLiTe) (fburzi () ncc org ve)

Two comments that stand out in reference to the efficacy of air-gap
products are: 1) A firewall is a tunnel, an air gap is a tunnel. And a
tunnel is a tunnel is a tunnel. Giving it another name doesn't mean it
isn't the same.  2) Roger Marquis said so poignantly:  A half-duplex
datastream with pico-second turnaround, coupled with a micrometer gap
between two fiber connectors doesn't make a product anymore or less
secure than other firewalls. - Ben Rothke (ben.rothke () baltimore com)




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.