| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Feb 2006 16:19:27 +0300 From: ArkanoiD <ark@...ex.ru> To: Seth Breidbart <sethb@...ix.com> Cc: bugtraq@...urityfocus.com Subject: Re: Vulnerabilites in new laws on computer hacking nuqneH, Actually, both are quite useless and non-informative. (should i explain?) "fixing the holes" is, for my estimation, hardly more than 10% of computer security process. Thanks to stupid hollywood movies, customers are almost completely unaware of that :-( They still think a computer security expert is a person who performs attacks and provides a report if he succeeds. On Fri, Feb 17, 2006 at 12:43:49AM -0500, Seth Breidbart wrote: > "Marcus J. Ranum" <mjr@...um.com> wrote: > > > If you're trying to understand the security properties of a > > system by breaking into it, you not producing valuable > > reports, anyhow. All you are doing is telling them where > > to put the next band-aid. > > I know of too many (more than none is too many) examples where a > company went to a Big Consulting Firm and asked for a report on the > security of their systems. Many tens of kilobucks later, they got a > fancy bound report that said "we couldn't break in" followed by 200 > pages of ass-covering by the consulting firm. Then they went to a > real security expert, who spent one day attacking their system and > gave them a report saying "here are the five easiest ways I found to > break into your system. Fix them and call me back." > > You might not consider that valuable; but how do you consider the > expensive fancy bound completely worthless report? > > Seth
Powered by blists - more mailing lists