Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerabilites in new laws on computer hacking

from [ArkanoiD] Network Security [Permanent Link]
Subject: Re: Vulnerabilites in new laws on computer hacking
Date: Sun, 19 Feb 2006 16:19:27 +0300 
nuqneH,

Actually, both are quite useless and non-informative.
(should i explain?)
"fixing the holes" is, for my estimation, hardly more than 10% of
computer security process. Thanks to stupid hollywood movies, 
customers are almost completely unaware of that :-(
They still think a computer security expert is a person who performs
attacks and provides a report if he succeeds.

On Fri, Feb 17, 2006 at 12:43:49AM -0500, Seth Breidbart wrote:

"Marcus J. Ranum" <mjr@ranum.com> wrote:


If you're trying to understand the security properties of a
system by breaking into it, you not producing valuable
reports, anyhow. All you are doing is telling them where
to put the next band-aid.


I know of too many (more than none is too many) examples where a
company went to a Big Consulting Firm and asked for a report on the
security of their systems.  Many tens of kilobucks later, they got a
fancy bound report that said "we couldn't break in" followed by 200
pages of ass-covering by the consulting firm.  Then they went to a
real security expert, who spent one day attacking their system and
gave them a report saying "here are the five easiest ways I found to
break into your system.  Fix them and call me back."

You might not consider that valuable; but how do you consider the
expensive fancy bound completely worthless report?

Seth
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [KAPDA::#27] - Runcms 1.x Cross_Site_Scripting vulnerability, roozbeh_afrasiabi
Next by Date:  Mozilla Thunderbird : Remote Code Execution & Denial of Service, Renaud Lifchitz
Previous by Thread:  Re: Vulnerabilites in new laws on computer hacking, Seth Breidbart
Next by Thread:  Re: Vulnerabilites in new laws on computer hacking, ArkanoiD
Indexes:  [Date] [Thread] [Top] [All Lists]