[ISN] Security Quotes

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 07:08:08 PST

  • Next message: InfoSec News: "[ISN] Server Farm: Your Place or Mine?"

    Forwarded from: security curmudgeon <jerichoat_private>
    (A bit off topic I realize, but a few quotes that stood out over the
    last year or so on Bugtraq, Pen-Test and ISN.)
    Sorry, I don't read .pdf files from CISSP people. - modifyat_private
    I find that standing outside the front door smoking a cig is an easy
    way to get access to nearly any site.  Everyone assumes that you have
    just "stepped outside for a smoke".  Hell, at a few places people even
    take the time to hold the door for you.  Politeness is indeed a major
    danger to security, and something to take advantage of in an overall
    penetration test. - Drew Simonis (care227at_private)
    Just to be completely clear on this issue. These are the same
    customers you are refering to whome Microsoft thought would need MS
    Bob and the Talking Paperclip? One thing is to give them enough rope
    to hang themselves, but a boobietrapped thermonuclear weapon running
    on a rand(time) countdown? Is that really wise? - Terje Bless
    As one wise auditor once told me "there are those who have 20 years of
    experience, and those who have one year of experience twenty times". -
    Mark Williams (mdwilliams_44at_private)
    I've completely abandoned SANS; they seem to be a pack of utter,
    incurable, incompetant, unprofessional morons. They specifically
    endorse and recommend sendmail and BIND, and refuse to listen to
    discussions critical of these recommendations. That's enough, as far
    as I'm concerned; anything that has the SANS name on it can be
    ignored. - Bennett Todd (betat_private)
    Mapping is best done with nessus, firewalk, ping, traceroute, and the
    route servers for network and transport layer.  tcpdump, arp and
    anti-sniff for ethernet/link layer. Nmap is fine for session.
    Application, well, that's brute forcers, skriptz, whisker, and good
    old fashioned kung-f00 with some genuine clue thrown in for good
    measure. - batz (batsyat_private)
    .. divided betwen people that know what they do and other people that
    think they know cause they where tought and are certified. -
    What exactly do you have against education? (besides the obvious
    disdain for punctuation and proper spelling)  EVERYONE must learn the
    skills we need to know in todays world.  I have yet to meet a person
    who was thrust from the womb with a PDA and a laptop, ready to go.  
    Your complaint regarding people who got "tought" (sic) is as foolish
    as any I have heard. - dodgerat_private
    "Today's piece of secure software is the subject of tomorrow's Bugtraq
    YEAH RIGHT, and we all want our scan results to go through a third
    party. sure.  Not a great idea folks.  Sorry, stick to the proven
    modular opensource client/server scanners out there...that way, even
    you GUI junkies can do it. - Oliver Petruzel
    I can say for sure that I would not want anyone who could not figure
    out listserv (with it's AMPLE documentation) to either audit my
    network or perform system forensics for me. - Alfred Huger
    Regarding a bug in php-nuke: Yeah... but just say to me what can you
    do with a passwd file? just nothing. The important file isn't passwd,
    is /etc/shadow, right? and you get permission denied on that file...
    IF you get it you'll need a supercomputer to crack md5 passwords. Just
    my thoughts. /etc/passwd had problems in the past where crypted
    passwords was stored in, but now that problem is no more. - Francisco
    Burzi (NuKeLiTe) (fburziat_private)
    Two comments that stand out in reference to the efficacy of air-gap
    products are: 1) A firewall is a tunnel, an air gap is a tunnel. And a
    tunnel is a tunnel is a tunnel. Giving it another name doesn't mean it
    isn't the same.  2) Roger Marquis said so poignantly:  A half-duplex
    datastream with pico-second turnaround, coupled with a micrometer gap
    between two fiber connectors doesn't make a product anymore or less
    secure than other firewalls. - Ben Rothke (ben.rothkeat_private)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 13:19:06 PST