On Thu, Feb 19, 2009 at 7:15 PM, simon_lists <simon_li...@snosoft.com> wrote:
> Joshua, > I understand why you wrote what you did but you're wrong. Let me > explain... > > Today the security industry is a confused and immature place. Most > vendors offer half assed services that sell for half assed prices. Ironically, your own quote"company"quote offered penetration testing services at the insane pricing scheme of "we'll pentest0r joo for free and if we find something you can pay us to find other holes!". > They advertise those services as if they are high quality, when they > are not. Few vendors offer high quality services and their prices are > higher than the half-assed. The problem is that the consumer can't > tell the difference between the half assed service and the high > quality service because of how the crap service is marketed. So, to > the uneducated both look like a ferrari, one is a kit-car. Of course > the uneducated people are going to choose the lower quality service. Gullibility is nothing new nor is FUD. See my prior response in the paragraph above. > That said, its our experience as a high quality vendor that once we > prove / demonstrate the difference in our services when compared to > the half-assed that customers are willing to pay for real quality. Quality vendors in the security industry are a dime a dozen. It's usually the uninformed "security monkeys" damaging the reputations of these companies. When I think of "quality vendors", I think of those who do have a real world comprehension of security outside of ramblings on a mailing list. Real security professionals rarely have the time to shoot off dozens of email ramblings on a daily basis - you know the kind like your protege Kevin (don't call him black) Finestere writes. So let's have a manager's view of your purported "quality services" as only you seem to think you can offer it. On your page it states: "Statistics show that companies who do not invest in good I.T. security will fall victim to at least one serious compromise." Can you show us where this statement was derived from; anyone can have fun with numbers, statistics mean little; how have you come to this conclusion, how many clients do you supposedly have or have studied, to draw this conclusion since you make no reference to your source of information. Netragard: "Most of these companies feel that they can not justify the cost of maintaining strong I.T. security for their business." Woe is me in my understanding of how a company's feeling. Do they feel (companies)? How do you know, how many companies have you talked to? An individual in a company is no indicator of the overall posture of a company. Netragard: "The reality is that the cost of good I.T. security is equal to a fraction of the cost of a single successful compromise." The harsher reality is, you can never judge the reasoning behind a company's staff to not implement the appropriate controls. How many large company's have you worked for in your lifetime - and by large I mean in the 1,000's. There are plenty of obstacles in a company which are preventative to a strong security posture. There are facts like "implementing this new technology will cost us in the millions via way of training, it will disaffect legacy systems, clients may jump ship out of frustration therefore for this one technology, we may have to scrap it and put in place for it a compensatory control" Perhaps you should learn about complexity management > Its just a matter of arming customers with information so that they > can make the decision thats right for them. In most cases our > customers are interested in real security, they can't afford a > compromise, so they end up working with us. In some cases the customer > just wants a check in the box, those customers go with the cheaper > price. Your comments and those of your fellow "security bandits" humor me. The mechanisms in which you correlate mom and pop like businesses with large corporations is amazing. You should be in sales. > If customers didn't care about quality and they wanted the cheap > service then we wouldn't be in business. Right now, we're a lot more > busy than most security firms and the load is only increasing. So you > tell me, do people care about quality? Our customers find us because > of the work we do for other people, quality is our trademark. Well pitched snake oil sounding paragraph. > And don't insult the consumers by saying that they want the cheap > service, people aren't as stupid as you seem to think. > There ARE actually people who are that stupid and the blind leading the blind is a sad yet funny sight. So as I asked your friend Kevin, you know the "don't call me black - I don't even work in the security industry but sure answer a ton of questions in the field I don't even work in" Kevin, how much experience do you *really* have outside of being legends in your own mind. As I sift through years of mailing list threads, I've seen nothing to lead me to believe you're any more of an expert than a script kiddie pitching tools on a flash based website and calling yourself a quote"security expert"quote". The irony of Kevin's prior statement speaks for itself "Just so you know I do have a day job, 9-6 that has nothing to do with security." Stop the press right there, isn't that akin to me giving out medical advice on say a medical mailing lists without even working in the medical industry? How, better yet why should I take him, you or your company serious. For starters, it's sounding more like you have an IRC based company, your workers (who don't work in the security field as Kevin stated) work a 9-6 elsewhere and have personal issues of race when questioned about the validity of their status in the industry. On prior matters of your stated "coward" comment, it has little to do with being a coward and more of dealing with due diligence. I won't post my identity not to protect myself, but the company I work for. I don't need ping -f like DoS attacks coming into my infrastructure because you and your protege Kevin feel slighted about me questioning your competence in the industry. For me, I know those who need to be known, the security has always been a small industry, and you sir, you're not even on my level technologically, let alone on the level you're portraying yourself to be on these mailing lists. Anyone can go back re-read the numerous posts you clowns (Kevin, you, Adriel *Netragard*) make and ascertain this to be factual - you have little real world skills in this industry, proceed with caution. There is a snippet of a song perhaps Kevin can relate to, this I will throw out there since he has an internal racial inferiority complex: "We aint no haters like you... Bow Down to some nigga's that's greater than you" (Westside Connection) Ending on that note, thank you for playing the game with me and enforcing the facts we already know, you guys are all talk nothing more and nothing less. Definitely not to be taken serious. PS, say hello to Loki for me will ya. > > On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote: > >> Oh enough with the holier than thou attitude, Kevin !!!You work for >> money >> just like any vendor, though the product you vend is a bit different. >> Let's say you were offered 750$ an hour for penetrating a community >> college >> network (they got a nice donation for that) or 200$ an hour for >> penetrating >> a local utility. Would you "lose" 500$ (time the hours) just to be >> more >> "important"? Ethical? The mighty dollar is also effecting your >> decisions. >> You call for the vendors to take a hit for a few licenses. Are you >> willing >> to do pro-bono pen-testing just to help a vendor improve his product, >> without getting the publicity for it? No, right? So why do you >> expect them >> to act differently? >> Today's post modern market is geared towards minimum price. People >> are not >> even expecting quality anymore. Regulation can help, even a lot, so >> you need >> decent politics to push for effective regulation. Pushing the full >> blame at >> the vendors is just kicking the nearest object (and yourself, Kevin, >> since >> you are also a vendor). >> >> Joshua M. >> >> On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) < >> kf_li...@digitalmunition.com> wrote: >> >>> Thats exactly my point Larry.. there isn't any incentive. No >>> regulation , no worries. >>> >>> I'm sure Citect could have easily been driven from the market and >>> based on the wild claims I heard during my disclosure process perhaps >>> they were pretty close to it. >>> >>> Besides lack of incentive its sooooooooooo much easier to chastise >>> the >>> big meanies that publish security information and react on an as >>> needed basis, rather than actually doing something that may impact >>> the >>> "bottom line" all the while actually improving the status quo. >>> >>> /me wonders when pride and devotion to ones work and craft gave way >>> to >>> making the all mighty dollar. >>> -KF >>> >>> >>> On Feb 19, 2009, at 1:56 PM, ljknews wrote: >>>> >>>> Speaking from the viewpoint of a software vendor, let me ask >>>> where the incentive is to care about such things ? Where are >>>> the examples of prominent products being driven from the market >>>> due to a lack of software quality ? >>>> -- >>>> Larry Kilgallen >>>> _______________________________________________ >>>> To unsubscribe from this mailing list, please visit: >>>> http://news.infracritical.com/mailman/listinfo/scadasec >>>> >>>> To review our usage policy, please visit: >>>> http://www.infracritical.com/usage-scadasec.html >>> >>> _______________________________________________ >>> To unsubscribe from this mailing list, please visit: >>> http://news.infracritical.com/mailman/listinfo/scadasec >>> >>> To review our usage policy, please visit: >>> http://www.infracritical.com/usage-scadasec.html >>> >> _______________________________________________ >> To unsubscribe from this mailing list, please visit: >> http://news.infracritical.com/mailman/listinfo/scadasec >> >> To review our usage policy, please visit: >> http://www.infracritical.com/usage-scadasec.html > > > > Simon Smith > simon_li...@snosoft.com > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > > > > _______________________________________________ > To unsubscribe from this mailing list, please visit: > http://news.infracritical.com/mailman/listinfo/scadasec > > To review our usage policy, please visit: > http://www.infracritical.com/usage-scadasec.html > -- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/