Hi Loki
On Feb 20, 2009, at 9:24 AM, Smoking Gun wrote: > On Thu, Feb 19, 2009 at 7:15 PM, simon_lists > <simon_li...@snosoft.com> wrote: > >> Joshua, >> I understand why you wrote what you did but you're wrong. Let >> me >> explain... >> >> Today the security industry is a confused and immature >> place. Most >> vendors offer half assed services that sell for half assed prices. > > Ironically, your own quote"company"quote offered penetration testing > services at the insane pricing scheme of "we'll pentest0r joo for free > and if we find something you can pay us to find other holes!". > > >> They advertise those services as if they are high quality, when they >> are not. Few vendors offer high quality services and their prices >> are >> higher than the half-assed. The problem is that the consumer can't >> tell the difference between the half assed service and the high >> quality service because of how the crap service is marketed. So, to >> the uneducated both look like a ferrari, one is a kit-car. Of course >> the uneducated people are going to choose the lower quality service. > > Gullibility is nothing new nor is FUD. See my prior response in the > paragraph above. > >> That said, its our experience as a high quality vendor that >> once we >> prove / demonstrate the difference in our services when compared to >> the half-assed that customers are willing to pay for real quality. > > Quality vendors in the security industry are a dime a dozen. It's > usually > the uninformed "security monkeys" damaging the reputations of these > companies. When I think of "quality vendors", I think of those who do > have a real world comprehension of security outside of ramblings on a > mailing list. Real security professionals rarely have the time to > shoot > off dozens of email ramblings on a daily basis - you know the kind > like > your protege Kevin (don't call him black) Finestere writes. So let's > have > a manager's view of your purported "quality services" as only you seem > to think you can offer it. > > On your page it states: "Statistics show that companies who do not > invest in good I.T. security will fall victim to at least one serious > compromise." Can you show us where this statement was derived from; > anyone can have fun with numbers, statistics mean little; how have you > come to this conclusion, how many clients do you supposedly have or > have studied, to draw this conclusion since you make no reference to > your source of information. > > Netragard: "Most of these companies feel that they can not justify the > cost of maintaining strong I.T. security for their business." Woe is > me in > my understanding of how a company's feeling. Do they feel > (companies)? > How do you know, how many companies have you talked to? An individual > in a company is no indicator of the overall posture of a company. > > Netragard: "The reality is that the cost of good I.T. security is > equal to a > fraction of the cost of a single successful compromise." The harsher > reality is, you can never judge the reasoning behind a company's staff > to not implement the appropriate controls. How many large company's > have you worked for in your lifetime - and by large I mean in the > 1,000's. > There are plenty of obstacles in a company which are preventative to > a strong security posture. There are facts like "implementing this new > technology will cost us in the millions via way of training, it will > disaffect > legacy systems, clients may jump ship out of frustration therefore for > this one technology, we may have to scrap it and put in place for it > a compensatory control" Perhaps you should learn about complexity > management > > >> Its just a matter of arming customers with information so that they >> can make the decision thats right for them. In most cases our >> customers are interested in real security, they can't afford a >> compromise, so they end up working with us. In some cases the >> customer >> just wants a check in the box, those customers go with the cheaper >> price. > > Your comments and those of your fellow "security bandits" humor > me. The mechanisms in which you correlate mom and pop like > businesses with large corporations is amazing. You should be in > sales. > >> If customers didn't care about quality and they wanted the >> cheap >> service then we wouldn't be in business. Right now, we're a lot more >> busy than most security firms and the load is only increasing. So you >> tell me, do people care about quality? Our customers find us because >> of the work we do for other people, quality is our trademark. > > Well pitched snake oil sounding paragraph. > >> And don't insult the consumers by saying that they want the >> cheap >> service, people aren't as stupid as you seem to think. >> > > There ARE actually people who are that stupid and the blind leading > the blind is a sad yet funny sight. So as I asked your friend Kevin, > you know the "don't call me black - I don't even work in the security > industry but sure answer a ton of questions in the field I don't even > work in" Kevin, how much experience do you *really* have outside > of being legends in your own mind. > > As I sift through years of mailing list threads, I've seen nothing to > lead me to believe you're any more of an expert than a script kiddie > pitching tools on a flash based website and calling yourself a > quote"security expert"quote". The irony of Kevin's prior statement > speaks for itself "Just so you know I do have a day job, 9-6 that has > nothing to do with security." Stop the press right there, isn't that > akin to me giving out medical advice on say a medical mailing lists > without even working in the medical industry? How, better yet why > should I take him, you or your company serious. For starters, it's > sounding more like you have an IRC based company, your workers > (who don't work in the security field as Kevin stated) work a 9-6 > elsewhere and have personal issues of race when questioned about > the validity of their status in the industry. > > On prior matters of your stated "coward" comment, it has little > to do with being a coward and more of dealing with due diligence. > I won't post my identity not to protect myself, but the company > I work for. I don't need ping -f like DoS attacks coming into my > infrastructure because you and your protege Kevin feel slighted > about me questioning your competence in the industry. For me, > I know those who need to be known, the security has always > been a small industry, and you sir, you're not even on my level > technologically, let alone on the level you're portraying yourself > to be on these mailing lists. Anyone can go back re-read the > numerous posts you clowns (Kevin, you, Adriel *Netragard*) > make and ascertain this to be factual - you have little real > world skills in this industry, proceed with caution. > > There is a snippet of a song perhaps Kevin can relate to, this > I will throw out there since he has an internal racial inferiority > complex: "We aint no haters like you... Bow Down to some > nigga's that's greater than you" (Westside Connection) Ending > on that note, thank you for playing the game with me and > enforcing the facts we already know, you guys are all talk > nothing more and nothing less. Definitely not to be taken > serious. > > PS, say hello to Loki for me will ya. > > >> >> On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote: >> >>> Oh enough with the holier than thou attitude, Kevin !!!You work for >>> money >>> just like any vendor, though the product you vend is a bit >>> different. >>> Let's say you were offered 750$ an hour for penetrating a community >>> college >>> network (they got a nice donation for that) or 200$ an hour for >>> penetrating >>> a local utility. Would you "lose" 500$ (time the hours) just to be >>> more >>> "important"? Ethical? The mighty dollar is also effecting your >>> decisions. >>> You call for the vendors to take a hit for a few licenses. Are you >>> willing >>> to do pro-bono pen-testing just to help a vendor improve his >>> product, >>> without getting the publicity for it? No, right? So why do you >>> expect them >>> to act differently? >>> Today's post modern market is geared towards minimum price. People >>> are not >>> even expecting quality anymore. Regulation can help, even a lot, so >>> you need >>> decent politics to push for effective regulation. Pushing the full >>> blame at >>> the vendors is just kicking the nearest object (and yourself, Kevin, >>> since >>> you are also a vendor). >>> >>> Joshua M. >>> >>> On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) < >>> kf_li...@digitalmunition.com> wrote: >>> >>>> Thats exactly my point Larry.. there isn't any incentive. No >>>> regulation , no worries. >>>> >>>> I'm sure Citect could have easily been driven from the market and >>>> based on the wild claims I heard during my disclosure process >>>> perhaps >>>> they were pretty close to it. >>>> >>>> Besides lack of incentive its sooooooooooo much easier to chastise >>>> the >>>> big meanies that publish security information and react on an as >>>> needed basis, rather than actually doing something that may impact >>>> the >>>> "bottom line" all the while actually improving the status quo. >>>> >>>> /me wonders when pride and devotion to ones work and craft gave way >>>> to >>>> making the all mighty dollar. >>>> -KF >>>> >>>> >>>> On Feb 19, 2009, at 1:56 PM, ljknews wrote: >>>>> >>>>> Speaking from the viewpoint of a software vendor, let me ask >>>>> where the incentive is to care about such things ? Where are >>>>> the examples of prominent products being driven from the market >>>>> due to a lack of software quality ? >>>>> -- >>>>> Larry Kilgallen >>>>> _______________________________________________ >>>>> To unsubscribe from this mailing list, please visit: >>>>> http://news.infracritical.com/mailman/listinfo/scadasec >>>>> >>>>> To review our usage policy, please visit: >>>>> http://www.infracritical.com/usage-scadasec.html >>>> >>>> _______________________________________________ >>>> To unsubscribe from this mailing list, please visit: >>>> http://news.infracritical.com/mailman/listinfo/scadasec >>>> >>>> To review our usage policy, please visit: >>>> http://www.infracritical.com/usage-scadasec.html >>>> >>> _______________________________________________ >>> To unsubscribe from this mailing list, please visit: >>> http://news.infracritical.com/mailman/listinfo/scadasec >>> >>> To review our usage policy, please visit: >>> http://www.infracritical.com/usage-scadasec.html >> >> >> >> Simon Smith >> simon_li...@snosoft.com >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> >> >> >> _______________________________________________ >> To unsubscribe from this mailing list, please visit: >> http://news.infracritical.com/mailman/listinfo/scadasec >> >> To review our usage policy, please visit: >> http://www.infracritical.com/usage-scadasec.html >> > > > > -- > Making no mistakes is what establishes the certainty of victory, for > it means conquering an enemy that is already defeated. - Sun Tzu > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/