[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [SCADASEC] 11. Re: SCADA Security - Software fee's
- To: Smoking Gun <pentesterkunt@xxxxxxxxx>
- Subject: Re: [Full-disclosure] [SCADASEC] 11. Re: SCADA Security - Software fee's
- From: "Adriel T. Desautels" <ad_lists@xxxxxxxxxxxxx>
- Date: Fri, 20 Feb 2009 09:44:59 -0500
Hi Loki
On Feb 20, 2009, at 9:24 AM, Smoking Gun wrote:
> On Thu, Feb 19, 2009 at 7:15 PM, simon_lists
> <simon_lists@xxxxxxxxxxx> wrote:
>
>> Joshua,
>> I understand why you wrote what you did but you're wrong. Let
>> me
>> explain...
>>
>> Today the security industry is a confused and immature
>> place. Most
>> vendors offer half assed services that sell for half assed prices.
>
> Ironically, your own quote"company"quote offered penetration testing
> services at the insane pricing scheme of "we'll pentest0r joo for free
> and if we find something you can pay us to find other holes!".
>
>
>> They advertise those services as if they are high quality, when they
>> are not. Few vendors offer high quality services and their prices
>> are
>> higher than the half-assed. The problem is that the consumer can't
>> tell the difference between the half assed service and the high
>> quality service because of how the crap service is marketed. So, to
>> the uneducated both look like a ferrari, one is a kit-car. Of course
>> the uneducated people are going to choose the lower quality service.
>
> Gullibility is nothing new nor is FUD. See my prior response in the
> paragraph above.
>
>> That said, its our experience as a high quality vendor that
>> once we
>> prove / demonstrate the difference in our services when compared to
>> the half-assed that customers are willing to pay for real quality.
>
> Quality vendors in the security industry are a dime a dozen. It's
> usually
> the uninformed "security monkeys" damaging the reputations of these
> companies. When I think of "quality vendors", I think of those who do
> have a real world comprehension of security outside of ramblings on a
> mailing list. Real security professionals rarely have the time to
> shoot
> off dozens of email ramblings on a daily basis - you know the kind
> like
> your protege Kevin (don't call him black) Finestere writes. So let's
> have
> a manager's view of your purported "quality services" as only you seem
> to think you can offer it.
>
> On your page it states: "Statistics show that companies who do not
> invest in good I.T. security will fall victim to at least one serious
> compromise." Can you show us where this statement was derived from;
> anyone can have fun with numbers, statistics mean little; how have you
> come to this conclusion, how many clients do you supposedly have or
> have studied, to draw this conclusion since you make no reference to
> your source of information.
>
> Netragard: "Most of these companies feel that they can not justify the
> cost of maintaining strong I.T. security for their business." Woe is
> me in
> my understanding of how a company's feeling. Do they feel
> (companies)?
> How do you know, how many companies have you talked to? An individual
> in a company is no indicator of the overall posture of a company.
>
> Netragard: "The reality is that the cost of good I.T. security is
> equal to a
> fraction of the cost of a single successful compromise." The harsher
> reality is, you can never judge the reasoning behind a company's staff
> to not implement the appropriate controls. How many large company's
> have you worked for in your lifetime - and by large I mean in the
> 1,000's.
> There are plenty of obstacles in a company which are preventative to
> a strong security posture. There are facts like "implementing this new
> technology will cost us in the millions via way of training, it will
> disaffect
> legacy systems, clients may jump ship out of frustration therefore for
> this one technology, we may have to scrap it and put in place for it
> a compensatory control" Perhaps you should learn about complexity
> management
>
>
>> Its just a matter of arming customers with information so that they
>> can make the decision thats right for them. In most cases our
>> customers are interested in real security, they can't afford a
>> compromise, so they end up working with us. In some cases the
>> customer
>> just wants a check in the box, those customers go with the cheaper
>> price.
>
> Your comments and those of your fellow "security bandits" humor
> me. The mechanisms in which you correlate mom and pop like
> businesses with large corporations is amazing. You should be in
> sales.
>
>> If customers didn't care about quality and they wanted the
>> cheap
>> service then we wouldn't be in business. Right now, we're a lot more
>> busy than most security firms and the load is only increasing. So you
>> tell me, do people care about quality? Our customers find us because
>> of the work we do for other people, quality is our trademark.
>
> Well pitched snake oil sounding paragraph.
>
>> And don't insult the consumers by saying that they want the
>> cheap
>> service, people aren't as stupid as you seem to think.
>>
>
> There ARE actually people who are that stupid and the blind leading
> the blind is a sad yet funny sight. So as I asked your friend Kevin,
> you know the "don't call me black - I don't even work in the security
> industry but sure answer a ton of questions in the field I don't even
> work in" Kevin, how much experience do you *really* have outside
> of being legends in your own mind.
>
> As I sift through years of mailing list threads, I've seen nothing to
> lead me to believe you're any more of an expert than a script kiddie
> pitching tools on a flash based website and calling yourself a
> quote"security expert"quote". The irony of Kevin's prior statement
> speaks for itself "Just so you know I do have a day job, 9-6 that has
> nothing to do with security." Stop the press right there, isn't that
> akin to me giving out medical advice on say a medical mailing lists
> without even working in the medical industry? How, better yet why
> should I take him, you or your company serious. For starters, it's
> sounding more like you have an IRC based company, your workers
> (who don't work in the security field as Kevin stated) work a 9-6
> elsewhere and have personal issues of race when questioned about
> the validity of their status in the industry.
>
> On prior matters of your stated "coward" comment, it has little
> to do with being a coward and more of dealing with due diligence.
> I won't post my identity not to protect myself, but the company
> I work for. I don't need ping -f like DoS attacks coming into my
> infrastructure because you and your protege Kevin feel slighted
> about me questioning your competence in the industry. For me,
> I know those who need to be known, the security has always
> been a small industry, and you sir, you're not even on my level
> technologically, let alone on the level you're portraying yourself
> to be on these mailing lists. Anyone can go back re-read the
> numerous posts you clowns (Kevin, you, Adriel *Netragard*)
> make and ascertain this to be factual - you have little real
> world skills in this industry, proceed with caution.
>
> There is a snippet of a song perhaps Kevin can relate to, this
> I will throw out there since he has an internal racial inferiority
> complex: "We aint no haters like you... Bow Down to some
> nigga's that's greater than you" (Westside Connection) Ending
> on that note, thank you for playing the game with me and
> enforcing the facts we already know, you guys are all talk
> nothing more and nothing less. Definitely not to be taken
> serious.
>
> PS, say hello to Loki for me will ya.
>
>
>>
>> On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote:
>>
>>> Oh enough with the holier than thou attitude, Kevin !!!You work for
>>> money
>>> just like any vendor, though the product you vend is a bit
>>> different.
>>> Let's say you were offered 750$ an hour for penetrating a community
>>> college
>>> network (they got a nice donation for that) or 200$ an hour for
>>> penetrating
>>> a local utility. Would you "lose" 500$ (time the hours) just to be
>>> more
>>> "important"? Ethical? The mighty dollar is also effecting your
>>> decisions.
>>> You call for the vendors to take a hit for a few licenses. Are you
>>> willing
>>> to do pro-bono pen-testing just to help a vendor improve his
>>> product,
>>> without getting the publicity for it? No, right? So why do you
>>> expect them
>>> to act differently?
>>> Today's post modern market is geared towards minimum price. People
>>> are not
>>> even expecting quality anymore. Regulation can help, even a lot, so
>>> you need
>>> decent politics to push for effective regulation. Pushing the full
>>> blame at
>>> the vendors is just kicking the nearest object (and yourself, Kevin,
>>> since
>>> you are also a vendor).
>>>
>>> Joshua M.
>>>
>>> On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) <
>>> kf_lists@xxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>>> Thats exactly my point Larry.. there isn't any incentive. No
>>>> regulation , no worries.
>>>>
>>>> I'm sure Citect could have easily been driven from the market and
>>>> based on the wild claims I heard during my disclosure process
>>>> perhaps
>>>> they were pretty close to it.
>>>>
>>>> Besides lack of incentive its sooooooooooo much easier to chastise
>>>> the
>>>> big meanies that publish security information and react on an as
>>>> needed basis, rather than actually doing something that may impact
>>>> the
>>>> "bottom line" all the while actually improving the status quo.
>>>>
>>>> /me wonders when pride and devotion to ones work and craft gave way
>>>> to
>>>> making the all mighty dollar.
>>>> -KF
>>>>
>>>>
>>>> On Feb 19, 2009, at 1:56 PM, ljknews wrote:
>>>>>
>>>>> Speaking from the viewpoint of a software vendor, let me ask
>>>>> where the incentive is to care about such things ? Where are
>>>>> the examples of prominent products being driven from the market
>>>>> due to a lack of software quality ?
>>>>> --
>>>>> Larry Kilgallen
>>>>> _______________________________________________
>>>>> To unsubscribe from this mailing list, please visit:
>>>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>>>
>>>>> To review our usage policy, please visit:
>>>>> http://www.infracritical.com/usage-scadasec.html
>>>>
>>>> _______________________________________________
>>>> To unsubscribe from this mailing list, please visit:
>>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>>
>>>> To review our usage policy, please visit:
>>>> http://www.infracritical.com/usage-scadasec.html
>>>>
>>> _______________________________________________
>>> To unsubscribe from this mailing list, please visit:
>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>
>>> To review our usage policy, please visit:
>>> http://www.infracritical.com/usage-scadasec.html
>>
>>
>>
>> Simon Smith
>> simon_lists@xxxxxxxxxxx
>> --------------------------------------
>>
>> Subscribe to our blog
>> http://snosoft.blogspot.com
>>
>>
>>
>>
>> _______________________________________________
>> To unsubscribe from this mailing list, please visit:
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
>> To review our usage policy, please visit:
>> http://www.infracritical.com/usage-scadasec.html
>>
>
>
>
> --
> Making no mistakes is what establishes the certainty of victory, for
> it means conquering an enemy that is already defeated. - Sun Tzu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/