"Marcus J. Ranum" <mjr@xxxxxxxxx> wrote: > If you're trying to understand the security properties of a > system by breaking into it, you not producing valuable > reports, anyhow. All you are doing is telling them where > to put the next band-aid. I know of too many (more than none is too many) examples where a company went to a Big Consulting Firm and asked for a report on the security of their systems. Many tens of kilobucks later, they got a fancy bound report that said "we couldn't break in" followed by 200 pages of ass-covering by the consulting firm. Then they went to a real security expert, who spent one day attacking their system and gave them a report saying "here are the five easiest ways I found to break into your system. Fix them and call me back." You might not consider that valuable; but how do you consider the expensive fancy bound completely worthless report? Seth
