mailing list archives
Secreview re-review of quietmove ( F ---)
From: Adam Muntner <adam.muntner () quietmove com>
Date: Wed, 2 Jan 2008 09:32:42 -0500
Andre is a friend but not an employee or representative of the
business- HOWEVER - There were a number of innacuracies in his
statements about me. A selection of corrections to statements are below.
- I never ran UPT
- all the speculation about our methodology and pricing was wrong.
- the quantity ofautomated vs hands on testing we perform are based on
what the customer is willing to pay for. Novel concept. We explain
carefully what can and can't be found. The customer select their
apporpriate level of risk acceptce based on the value of the target of
evaluation and their budget. We always try to go above and beyond.
- our overhead is low-no giant headquarters - we are virtual mostly
except for a rack cage. We don't have to support a giant marketing
team and don't do $20k trade show booths. As a result that isn't built
into our pricing.
- I was never a 'uNIX admin' but did engineer one of the early
commercially avail Beowulf clusters - in 1998 - and have run some unix
boxes, meaning it took all of 3 hours a month of my time, but i was
not a 'unix admin' by any stretch of the imagination. The opennsd
posts were from what,10 years ago?
More evidence of your poor arithmetic skills from the initial post.
- the website wasn't updated because I am taking a vacation to NYC and
would rather enjoy myself than meet some 12 hour unmentioned timetable
to edit the website by an anonymous coward pfy.
- they weren't insults, they were sarcastic though accurate
representations of you'd subpar ( at best) review capabilities
- others but really, who cares? You are not interested in facts as I
will prove below.
Your analysis is worthless. Several weeks ago you posted your alleged
methodology. It included contacting the vendor PRIOR to review, which
you didnt do. You also didnt notify us of the review. I read it on fd
You sent a list of questions on new years day, after you posted the
review, and half a day later posted your re review without again
contacting me directly except with a monster list of questions - not
so much as a phone call. You alleged review was based on list noise,
not speaking with me.
You still have yet to post your scoring methodology as promised. You
Frankly I find the drama and anonymous weenie-waving on this list to
be tedious. FD is more a running joke than a productive mailing list.
Save the drama fo yo mama.
On my timetable I'll respond to your questions.... To the list, not to
you directly. Frankly I don't trust you to represent them accurately.
Right now I'm going to visit the metropolitan museum of art, and
tonight go party - not answer your essay test. Sorry to dissapoint.
As a number of list members commented privately to me - you don't
deserve the attention.
That said, if you can prove you will follow your own previously stated
methodology, I'll re review your review system. Following your
methodology I will post a f----------- score in 6-12 hours or maybe
sooner if you don't respond.
That's a joke, son. ;)
Sorry for typos - sent from my 31337 jailbroken iPhone. It runs unix.
I guess that makes me a unix admin!
On Jan 2, 2008, at 2:17 AM, secreview <secreview () hushmail com> wrote:
Our first QuietMove review can be found here.
QuietMove, located at http://www.quietmove.com is a Professional IT
Security Services company that was founded by Adam Muntner, Jeffrey
Rassas and James G. (Jim) Garvey, Jr. We’ve already performed one re
view of QuietMove but Adam Munter and his team didn’t like the revie
w. As a result, we’ve gone back and revisited our data and are produ
cing this second, hopefully more accurate review.
Our first point of criticism is still the QuietMove web-site. Their
services are poorly defined, and even somewhat contradictory. For
example, under their Penetration Testing section they nearly bash
the use of Automated tools. Shortly thereafter they go on to say
that they offer services for nearly the same cost as “cookie-
Well, we still have a problem with that. The overhead cost of using
quality talent is always going to be far greater than the fees
charged by vendors that sell automated scanning software. Any time
someone tells us that they can offer “expert driven” services at
the same price points or even nearly the same as a “cookie
cutter” service, we say bullshit.
Taking it a step further, we still stick by our previous opinion
that the QuietMove website doesn’t have much to offer prospective cu
stomers in the way of useful information. The services shown are ver
y poorly defined; the grammar is still horrible, and frankly the web
site is incomplete. Want to see what we mean, click on their “Social
Engineering” tab under their service offerings; you’ll notice
that there is no description. We hope that their website does not re
flect the quality of their services.
When Adam Muntner read our previous post where we commented on the
QuietMove Website he responded in a reactive, emotional, and
unprofessional manner. You can read his response to our first post
here, insults and all. Unfortunately for Adam, his unprofessional
attitude hurt QuietMove during this second review.
Regardless, Adam did react to our website comments, and his reaction
was as follows, verbatim:
“Most of our clients are referred by others who are very satisfied w
ith the work we perform. Not by the website. It doesn't get a lot of
attention - were small but growing and focused on serving our clien
ts. I know basic HTML seems like the pinnacle of achievement to you,
but we aren't in the business of making pretty web pages. We discus
s our methodology with our clients-we don't post it on the web. I kn
ow you were hoping to learn nimething. Hacking for dummies might be
more your speed, after you perfect your Cunt and Paste skills.”
During this second round of review, we were able to locate more
information about Adam. We found several posts that Adam made to
different mailing lists about FreeBSD, OpenBSD, Systems
Administration, etc. We also found a rather nice PowerPoint
presentation that Adam created that clearly defined specific
security services. So we know that Adam is not an idiot, but we don’
t know if he’s actually a security guru. We’re also wondering why
Adam doesn’t create the same quality content for his QuietMove websi
te as he did for his presentation?
In tandem with Adam’s response to our initial review of QuietMove, A
dam also had other friends and associates respond. One of those peop
le was Andre Gironda who had a lot of great things to say about Quie
tMove, but also made the unfortunate mistake of tainting his credibi
lity as a professional by directly attacking other vendors.
Andre Gironda asked us who we are in one of his emails. He also
indirectly accused us of exacting vengeance on QuietMove by
performing a review. While we’ve never been accused of this before b
y any of our other review subjects, we feel that we should state for
the record that this is not some sort of vengeance play.
Andre Gironda also said that he can vouch for Adam’s 14 years of exp
erience “and then some”. Apparently when Andre met Adam of
QuietMove, Adam was working as a Unix Security Administrator for Unp
hamiliar. Territories (UPT), “a vulnerability research BBS that ran
from 1989 – 1996. Also according to Andre Gironda “. It was a
prominent place for information about vulnerability research. Many h
eld it in higher regard than Phrack magazine or any leading website/
magazine during that time period.”
Sorry Andre, but we don’t agree with your statement about UPT. Even
more importantly, we’re not sure how Adam’s experience as a Unix
Security administrator (aka systems admin) will help him offer profe
ssional IT Security Services. Adam needs to be able to protect his c
lients from real world hackers, not from failed tape backups and dis
Andre went on to say that many “small businesses such as QuietMove h
ave a hard enough time staying alive in this industry.” He said
“I suggest you pick on someone your
own size even if you have a legitimate problem with QuietMove or
Adam.” Our response is that we have no problem with Adam or QuietMov
e. We found QuietMove by doing a google search for Penetration Testi
In a Different email Andre lost all credibility with us because he
decided to directly attack other companies that we’ve reviewed that
received higher grades. If you compare the score cards between Quiet
Move and the other company that Andre bashes, you’ll see why they go
t the good grade. Anyway, here’s what Andre had to say (we’ll
“Look, you rated Denim Group as A-. You must either work there - or
know the guys. Dan Cornell is a moron compared to Adam Muntner - and
his code is certainly worse (e.g. Sprajax).
Adam and team know Burp Suite, use manual web application testing - in
addition to traditional dynamic and static analysis.
I have seen Adam and crew using Fortify Software's SCA and Tracer
tools. I have seen them using Hailstorm ARC and modifying the
best-of-breed security testing methodology.
I have worked for many small companies myself who do not use ANY
automated testing, including both open-source and commercial tools. I
think this is stupid... and spent most of my time writing `for' loops
in shell just to get around their limitation on "not writing scripts
to automate things".
I have also worked for small companies that "only" use scripting
languages, or only use "the best" scripting language (usually Ruby,
Python, or Perl) and write all their own automated tools. This is
also stupid -- especially when existing toolsets have lots of great
capability -- it's like re-inventing the wheel.
Of course there are places that "only use" commercial automated tools,
but I haven't actually met one yet. When I do -- I'll go ahead and
post an obnoxious review about them. More people will read mine than
anything you do -- and with my name on it -- they are certainly bound
to take it a lot more seriously.”
Andre lost all credibility with our team when he insulted the Denim
Group. We contacted the Denim Group and spoke directly with one of
their founders when we did their review. Not only were we very
impressed with them, but they provided us with great detail about
their testing methodologies and service capabilities. Adam, Andre
and the rest of the QuietMove team haven’t provided us with anything
tangible yet, and we’ve asked. When we tried to contact them the fi
rst time we couldn’t get hold of them, same for the second.
We’re still waiting to hear back from Adam at QuietMove with answers
to our questions about the QuietMove services. If we hear back, we’
ll modify this blog entry yet again to properly reflect what we feel
is the truth. We’d also like to make the professional suggestion th
at QuietMove think about their professional image before they respon
d to anyone in public forum. Not only does their reaction not look g
ood but it could make prospective customers turn away.
Lastly, with respect to our comment about Marcin Wielgoszewski, a
QuietMove consultant being “Green”, he confirmed that for us in
an email. He wrote “You're right. I'm new and young and I'll be the
first to admit it. We can't all be born security gurus, and I'm not
trying to hide that, but me aside... what have you done besides hide
behind your gmail account
and troll FD? Thanks for pointing out those two pages, two pages out
of 100's that
were posted a long time ago and yes, are very out of date.”
All in all it is our professional opinion is still that QuietMove
doesn’t have significant “strong” human talent behind their
services. They appear to be a very small company run by someone that
is not a “hacker” by nature but instead is a systems
administrator or your advanced IT guy with a good understanding of W
eb Application Security. If you are looking to truly defend yourselv
es against malicious hackers then we suggest finding a different pro
Note: If we receive any information back from QuietMove, other than
what we’ve received in emotional reactions, then we’ll consider
adding that information to this review. If QuietMove can provide us
with proof of capability then we will accurately reflect that capabi
lity here. We’re not in the business of bashing anyone even if they
bash us or disrespect us. We are in the business of exposing Profess
ional IT Security Service providers for what they really are to the
best of our ability.
If you feel that QuietMove deserves a better grade and can provide
us with legitimate reasons as to why, then please comment and we’ll
consider it. (Even after all of their insults.)
Score Card (Click to Enlarge)
Posted By secreview to Professional IT Security Providers - Exposed
at 1/01/2008 10:38:00 PM
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/