Re: Would you bet your life on your security?

[David Moisan <dmoisan () davidmoisan org>]

At 05:41 PM 10/2/2003 -0400, simon wrote:
>         Let me make this very simple for you.  If you bring your car into 
> a shop and they find no problems do you want to pay for a brake job, and 
> new ball joints?  If we find vulnerabilities then we will

Most people accept that there is a cost in time and money to perform the 
inspection.

Then again, if I were having car work done, I might think a low-ball or 
even no-ball price estimate, as is so often seen, is just the thin end of 
the wedge to justify more work and more money from the customer.

> help you fix them.  If we don't, then you haven't spent a dime. What you 
> seem to be proposing is that you spend money regardless of the work done? 
> Hey, send some checks my way...

You seem to be proposing that I, for one, should give you an open-ended 
assignment knowing that you will (in fact, must, if you are to make a 
profit) have an incentive to "find problems".

I thought about taking you up for about two seconds, but I represent a 
small nonprofit and the costs of remediation by a third party such as 
yourself that is determined to find security problems (as a good hacker 
would do) would well outweigh the benefits.  Most security consultancies 
work for enterprise clients and they do *not* scale down to small 
businesses well, if at all and are not a bargain for us at *any* price.

Besides, it sounded too much like the extortionate offer we got on the list 
a few months back from someone offering to "fix" their own hacking for a fee.

Take care,

Dave

David Moisan, N1KGH   ARES/SKYWARN             dmoisan () davidmoisan org
Invisible Disability:  http://www.davidmoisan.org/invisible_disability.html
ATS-909 FAQ:  http://www.davidmoisan.org/radio/sangean/ats909faq.html


---------------------------------------------------------------------------
----------------------------------------------------------------------------