Re: Would you bet your life on your security?

From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 10/02/03

  • Next message: Matthew F. Caldwell: "RE: Country based IPs" 
    To: ericbrow@ziplip.com
Date: Thu, 02 Oct 2003 13:16:23 -0700

    On Wed, 2003-10-01 at 19:04, Eric Brown wrote:
    > Hello Simon,
    >
    > I'm pretty new to security, but this is discouraged by the ISECOM in their most current Open Source Security Testing Methodology Manual, p. 18, "2. The offering of free services for failure to penetrate or provide trophies from the target is forbidden."
    >
    > I wouldn't know this if I hadn't just read it though.
    > Eric
    >
    > > -----Original Message-----
    > > From: simon [mailto:simon@snosoft.com]
    > > Sent: Wednesday, October 01, 2003, 4:18 PM
    > > To: security-basics@securityfocus.com
    > > Subject: Would you bet your life on your security?
    > >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > All,
    > > I'm not sure how many of you have had good security audits in the
    > > recent past so I thought I'd show you this. In summary Secure Network
    > > Operations, Inc. will do an external security audit of your network for
    > > approx $1000.00. If they don't find any vulnerabilities, then the audit
    > > is FREE and they send you a letter of validation. If they do find
    > > vulnerabilities, then they charge you and send you a formal report that
    > > details their finds and grades your network.
    > >
    > > Given some of the new laws that have been passed this seems like a
    > > pretty good service and a VERY cheap way to validate your companies
    > > security. Secure Network Operations also has a flawless track record and
    > > has the references to prove it.
    > >
    > > Why do I think this is a good idea? Well, the California identity theft
    > > law (Civil Code 1798.82),The new federal banking regulations are two
    > > reasons. They both make disclosure of a compromise MANDITORY. You need
    > > to tell ALL of your clients, by law, that you have been compromised and
    > > that their identities may have been stolen.
    > >
    > > So anyway, I'll shut up. For those of you that are interested check out
    > > the link below. For those of you that arent, I'm just trying to help
    > > people out so don't flame me or I'll /dev/null your mail.
    > >
    > > http://www.secnetops.com/pesa-form_html.html
    > >
    > > Their web site is: http://www.secnetops.com
    > > - --
    > > Regards,
    > > -simon-
    > >
    > >
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: GnuPG v1.2.1 (GNU/Linux)
    > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    > >
    > > iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6
    > > 0kewAu0Xz4t6+F5Px6kfKc8=
    > > =9AWM
    > > -----END PGP SIGNATURE-----
    > >
    > >
    > > ---------------------------------------------------------------------------
    > > ----------------------------------------------------------------------------
    > >
    >
    >
    > To do is to be. -Socrates
    > To be is to do. -Satre
    > Do be do be do. -Sinatra
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------

    Actually, no respectable professional really advertizes his/her services
    in a forum where other professionals are reading/teaching/learning
    unless its something specially setup for the purpose of advertizing
    one's needs/wants e.g. the security-jobs mailing list. I think that's
    standard etiquette for mailing lists.

    On these grounds, I find Simon's advertizing pretty unprofessional -
    despite the solid reasons (or FUD ?) given as to why insecure networks
    can cause a financial liability. I wish he had chosen a more objective
    and less FUD approach. Right subject matter, wrong approach - IMHO.

    But to object on the grounds that 'ISECOM' forbids it is difficult to
    understand. The word 'forbid' is too strong, dont you think ? How can
    you 'forbid' anyone from doing legal things in a free country ?? esp.
    considering the 'stubborn' profile that most people from the infosec
    industry have!! (by stubborn I mean it in a good sense, i.e. you have
    continued banging your head against the wall till you understood things,
    while others would have walked away from the challenge and taken on less
    demanding jobs). 

    -- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Matthew F. Caldwell: "RE: Country based IPs"