Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SCADASEC] 11. Re: SCADA Security - Software fee's
From: Smoking Gun <pentesterkunt () gmail com>
Date: Fri, 20 Feb 2009 09:24:29 -0500

On Thu, Feb 19, 2009 at 7:15 PM, simon_lists <simon_lists () snosoft com> wrote:

       I understand why you wrote what you did but you're wrong. Let me

       Today the security industry is a confused and immature place.  Most
vendors offer half assed services that sell for half assed prices.

Ironically, your own quote"company"quote offered penetration testing
services at the insane pricing scheme of "we'll pentest0r joo for free
and if we find something you can pay us to find other holes!".

They advertise those services as if they are high quality, when they
are not.  Few vendors offer high quality services and their prices are
higher than the half-assed. The problem is that the consumer can't
tell the difference between the half assed service and the high
quality service because of how the crap service is marketed.  So, to
the uneducated both look like a ferrari, one is a kit-car. Of course
the uneducated people are going to choose the lower quality service.

Gullibility is nothing new nor is FUD. See my prior response in the
paragraph above.

       That said, its our experience as a high quality vendor that once we
prove / demonstrate the difference in our services when compared to
the half-assed that customers are willing to pay for real quality.

Quality vendors in the security industry are a dime a dozen. It's usually
the uninformed "security monkeys" damaging the reputations of these
companies. When I think of "quality vendors", I think of those who do
have a real world comprehension of security outside of ramblings on a
mailing list. Real security professionals rarely have the time to shoot
off dozens of email ramblings on a daily basis - you know the kind like
your protege Kevin (don't call him black) Finestere writes. So let's have
a manager's view of your purported "quality services" as only you seem
to think you can offer it.

On your page it states: "Statistics show that companies who do not
invest in good I.T. security will fall victim to at least one serious
compromise." Can you show us where this statement was derived from;
anyone can have fun with numbers, statistics mean little; how have you
come to this conclusion, how many clients do you supposedly have or
have studied, to draw this conclusion since you make no reference to
your source of information.

Netragard: "Most of these companies feel that they can not justify the
cost of maintaining strong I.T. security for their business." Woe is me in
my  understanding of how a company's feeling. Do they feel (companies)?
How do you know, how many companies have you talked to? An individual
in a company is no indicator of the overall posture of a company.

Netragard: "The reality is that the cost of good I.T. security is equal to a
fraction of the cost of a single successful compromise." The harsher
reality is, you can never judge the reasoning behind a company's staff
to not implement the appropriate controls. How many large company's
have you worked for in your lifetime - and by large I mean in the 1,000's.
There are plenty of obstacles in a company which are preventative to
a strong security posture. There are facts like "implementing this new
technology will cost us in the millions via way of training, it will disaffect
legacy systems, clients may jump ship out of frustration therefore for
this one technology, we may have to scrap it and put in place for it
a compensatory control" Perhaps you should learn about complexity

Its just a matter of arming customers with information so that they
can make the decision thats right for them. In most cases our
customers are interested in real security, they can't afford a
compromise, so they end up working with us. In some cases the customer
just wants a check in the box, those customers go with the cheaper

Your comments and those of your fellow "security bandits" humor
me. The mechanisms in which you correlate mom and pop like
businesses with large corporations is amazing. You should be in

       If customers didn't care about quality and they wanted the cheap
service then we wouldn't be in business. Right now, we're a lot more
busy than most security firms and the load is only increasing. So you
tell me, do people care about quality? Our customers find us because
of the work we do for other people, quality is our trademark.

Well pitched snake oil sounding paragraph.

       And don't insult the consumers by saying that they want the cheap
service, people aren't as stupid as you seem to think.

There ARE actually people who are that stupid and the blind leading
the blind is a sad yet funny sight. So as I asked your friend Kevin,
you know the "don't call me black - I don't even work in the security
industry but sure answer a ton of questions in the field I don't even
work in" Kevin, how much experience do you *really* have outside
of being legends in your own mind.

As I sift through years of mailing list threads, I've seen nothing to
lead me to believe you're any more of an expert than a script kiddie
pitching tools on a flash based website and calling yourself a
quote"security expert"quote". The irony of Kevin's prior statement
speaks for itself "Just so you know I do have a day job, 9-6 that has
nothing to do with security." Stop the press right there, isn't that
akin to me giving out medical advice on say a medical mailing lists
without even working in the medical industry? How, better yet why
should I take him, you or your company serious. For starters, it's
sounding more like you have an IRC based company, your workers
(who don't work in the security field as Kevin stated) work a 9-6
elsewhere and have personal issues of race when questioned about
the validity of their status in the industry.

On prior matters of your stated "coward" comment, it has little
to do with being a coward and more of dealing with due diligence.
I won't post my identity not to protect myself, but the company
I work for. I don't need ping -f like DoS attacks coming into my
infrastructure because you and your protege Kevin feel slighted
about me questioning your competence in the industry. For me,
I know those who need to be known, the security has always
been a small industry, and you sir, you're not even on my level
technologically, let alone on the level you're portraying yourself
to be on these mailing lists. Anyone can go back re-read the
numerous posts you clowns (Kevin, you, Adriel *Netragard*)
make and ascertain this to be factual - you have little real
world skills in this industry, proceed with caution.

There is a snippet of a song perhaps Kevin can relate to, this
I will throw out there since he has an internal racial inferiority
complex: "We aint no haters like you... Bow Down to some
nigga's that's greater than you" (Westside Connection) Ending
on that note, thank you for playing the game with me and
enforcing the facts we already know, you guys are all talk
nothing more and nothing less. Definitely not to be taken

PS, say hello to Loki for me will ya.

On Feb 19, 2009, at 3:49 PM, Yehoshua Haparua wrote:

Oh enough with the holier than thou attitude, Kevin !!!You work for
just like any vendor, though the product you vend is a bit different.
Let's say you were offered 750$ an hour for penetrating a community
network (they got a nice donation for that) or 200$ an hour for
a local utility. Would you "lose" 500$ (time the hours) just to be
"important"? Ethical? The mighty dollar is also effecting your
You call for the vendors to take a hit for a few licenses. Are you
to do pro-bono pen-testing just to help a vendor improve his product,
without getting the publicity for it? No, right? So why do you
expect them
to act differently?
Today's post modern market is geared towards minimum price. People
are not
even expecting quality anymore. Regulation can help, even a lot, so
you need
decent politics to push for effective regulation. Pushing the full
blame at
the vendors is just kicking the nearest object (and yourself, Kevin,
you are also a vendor).

Joshua M.

On Thu, Feb 19, 2009 at 9:15 PM, Kevin Finisterre (lists) <
kf_lists () digitalmunition com> wrote:

Thats exactly my point Larry.. there isn't any incentive. No
regulation , no worries.

I'm sure Citect could have easily been driven from the market and
based on the wild claims I heard during my disclosure process perhaps
they were pretty close to it.

Besides lack of incentive its sooooooooooo much easier to chastise
big meanies that publish security information and react on an as
needed basis, rather than actually doing something that may impact
"bottom line" all the while actually improving the status quo.

/me wonders when pride and devotion to ones work and craft gave way
making the all mighty dollar.

On Feb 19, 2009, at 1:56 PM, ljknews wrote:

Speaking from the viewpoint of a software vendor, let me ask
where the incentive is to care about such things ?  Where are
the examples of prominent products being driven from the market
due to a lack of software quality ?
Larry Kilgallen
To unsubscribe from this mailing list, please visit:

To review our usage policy, please visit:

To unsubscribe from this mailing list, please visit:

To review our usage policy, please visit:

To unsubscribe from this mailing list, please visit:

To review our usage policy, please visit:

       Simon Smith
       simon_lists () snosoft com

       Subscribe to our blog

To unsubscribe from this mailing list, please visit:

To review our usage policy, please visit:

Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]