OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ichinin (ichininSWIPNET.SE)
Date: Sat Aug 18 2001 - 03:53:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Steve wrote:
    > Words spoken by someone who himself does not truly get it or understand.

    Why does everyone have to think that one know nothing about security (or
    programming) when one critisize the industry?

    > Are you a developer?

    Yes. Not currently employed.

    > Have you ever had to go through thousands of lines
    > of code?

    Yes. Not a funny activity.

    > Have you ever had to think of every possible scenario?

    Before i start a project, atleast i take security into account, i also
    warn and try to convince my superiors about possible threats that may
    occur. They have _never_ listened, and dismissed say penetrationtesting
    as "illegal" activities and expect *THAT* to deter security researchers,
    they don't even know that their statements are 100% BS and have no
    backing in law. Same BS comes from salespeople.

    > It is not as easy as it sounds.

    I never said that it would be. I just want them to at least use
    codescanners and train their programmers how NOT to write code,
    and management should know about vulnerabilities and implications
    (et cetera)

    > Granted, some of the larger companies should
    > be able to handle this as they have the resources to throw at the
    > problem. But, until the consumers at large start refusing to purchase
    > buggy software then upgrades that should have been free or included with
    > the original software the problem will never go away.

    I agree, i'd like to go go further to make software corporations liable
    in
    the same way a car manufactorer would be responsible for making a
    dangerous
    vehicle.

    > Regards;
    >
    > Steve Manzuik
    > Moderator - VulnWatch
    > www.vulnwatch.org

    (FYI - For those who think i'm just a snotnose scriptkiddie, i'd just
    like to
     say that i'm 27, and wrote 6502 ASM when i was 9, have worked with IT
    80% of
     my career. On my pasttime i research security, at times i've released
    some
     advisories but do not feel complelled to help an industry who looks
    down on
     private computer security researchers or "whitehats".)

    [MJE: Forward this to the list if you feel like it.]

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net