Forwarded from: security curmudgeon <jerichoat_private> (A bit off topic I realize, but a few quotes that stood out over the last year or so on Bugtraq, Pen-Test and ISN.) -- Sorry, I don't read .pdf files from CISSP people. - modifyat_private I find that standing outside the front door smoking a cig is an easy way to get access to nearly any site. Everyone assumes that you have just "stepped outside for a smoke". Hell, at a few places people even take the time to hold the door for you. Politeness is indeed a major danger to security, and something to take advantage of in an overall penetration test. - Drew Simonis (care227at_private) Just to be completely clear on this issue. These are the same customers you are refering to whome Microsoft thought would need MS Bob and the Talking Paperclip? One thing is to give them enough rope to hang themselves, but a boobietrapped thermonuclear weapon running on a rand(time) countdown? Is that really wise? - Terje Bless (linkat_private) As one wise auditor once told me "there are those who have 20 years of experience, and those who have one year of experience twenty times". - Mark Williams (mdwilliams_44at_private) I've completely abandoned SANS; they seem to be a pack of utter, incurable, incompetant, unprofessional morons. They specifically endorse and recommend sendmail and BIND, and refuse to listen to discussions critical of these recommendations. That's enough, as far as I'm concerned; anything that has the SANS name on it can be ignored. - Bennett Todd (betat_private) Mapping is best done with nessus, firewalk, ping, traceroute, and the route servers for network and transport layer. tcpdump, arp and anti-sniff for ethernet/link layer. Nmap is fine for session. Application, well, that's brute forcers, skriptz, whisker, and good old fashioned kung-f00 with some genuine clue thrown in for good measure. - batz (batsyat_private) .. divided betwen people that know what they do and other people that think they know cause they where tought and are certified. - simonisat_private What exactly do you have against education? (besides the obvious disdain for punctuation and proper spelling) EVERYONE must learn the skills we need to know in todays world. I have yet to meet a person who was thrust from the womb with a PDA and a laptop, ready to go. Your complaint regarding people who got "tought" (sic) is as foolish as any I have heard. - dodgerat_private "Today's piece of secure software is the subject of tomorrow's Bugtraq posting." YEAH RIGHT, and we all want our scan results to go through a third party. sure. Not a great idea folks. Sorry, stick to the proven modular opensource client/server scanners out there...that way, even you GUI junkies can do it. - Oliver Petruzel (oliverpetruzelat_private) I can say for sure that I would not want anyone who could not figure out listserv (with it's AMPLE documentation) to either audit my network or perform system forensics for me. - Alfred Huger (ahat_private) Regarding a bug in php-nuke: Yeah... but just say to me what can you do with a passwd file? just nothing. The important file isn't passwd, is /etc/shadow, right? and you get permission denied on that file... IF you get it you'll need a supercomputer to crack md5 passwords. Just my thoughts. /etc/passwd had problems in the past where crypted passwords was stored in, but now that problem is no more. - Francisco Burzi (NuKeLiTe) (fburziat_private) Two comments that stand out in reference to the efficacy of air-gap products are: 1) A firewall is a tunnel, an air gap is a tunnel. And a tunnel is a tunnel is a tunnel. Giving it another name doesn't mean it isn't the same. 2) Roger Marquis said so poignantly: A half-duplex datastream with pico-second turnaround, coupled with a micrometer gap between two fiber connectors doesn't make a product anymore or less secure than other firewalls. - Ben Rothke (ben.rothkeat_private) - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 13:19:06 PST