[rescue] shysters who claim to do security audits

[Greg A. Woods]

[ On Tuesday, June 26, 2001 at 15:16:00 (-0500), ward at zilla.nu wrote: ]
> Subject: Re: [rescue] RE: Why buy DEC when you can get the milk for free?
>
> I hear they just use nessus these days.

The last time one of my customers got a nessus report from some
third-party so-called auditor I nearly hit the roof.  They paid the
shysters something like $10,000.00 for it too!

But that wasn't the worst of it.  They also claimed that they'd done a
remote root exploit using SSH.  Unfortunately (for them) the bug they
claimed they'd used had been eliminated from the systems months before
they ever even heard of us.  I seriously thought of suing them for
professional slander.  If I ever see them again I'll kick their butts,
again.

The idiot upper-manager at this particular customer didn't even
understand the issue and insists to this day he got his money's worth.

I haven't been able to give a customer a clam reasoned discussion of the
merits an demerits of third party auditing since.  Don't even get me
started on so-called "attack teams".

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>