At 02:14 PM 3/5/98 +1000, Shake Communications PTY LTD wrote:
>Thanks for your e-mail.
>Our claims in relation to the Shake Vulnerabilities Database vis-a-vis
>other, established vulnerabilities lists, are based on our own examination
>of the existing lists. We make no apologies for that. Our whole aim in
>developing the Vulnerabilities Database was to go beyond what the free lists
>offer. If we didn't do that, you are right - we could not expect anyone to
>pay the $$$ we are asking.
Since it is very hard to tell what exact type of examinations your
organization has done compared to the various other companies who produce
the same type of lists for similiar $$.
>As such, we have worked very hard to develop a more up-to-date database, to
>cover more hardware and software, to categorise operating systems,
>applications, languages, hardware, etc in an easily searchable format, to
>give users information with just enough (not too much) detail on the nature
>of a given vulnerability and how to fix it, and to keep the database up to
>date. And we will continue working hard to maintain this standard.
Seems like you just stating you have created a giant search engine with
some search capabilities to allow users to search one database for
vulnerabilities instead of many. But are those vulnerabilities, etc any
better than those currently existing. There is no way to tell unless one
subscribes to your list and does some sort of comparison.
>You raise some good points. A comparative report stating the differences
>between our database and those currently available is a good idea. We will
>work on that. Also, we will be providing more examples of our
>Vulnerabilities Database at our Web Site.
Yes, a definite comparison report would be worthwhile but from an
independent agency similiar to the NCSA testing of commercial firewall
solutions or the recently published SNI paper on the vulnerabilities
inherent in most IDS Systems.
>Finally, in relation to staff and training: our management team consists of
>myself with a Bachelor of Computing (Information Systems) and Anna Johnson
>with Bachelors degrees in Law, Commerce and Arts from the University of
>Melbourne. Due to the varying nature of security work, we engage skilled
>security professionals depending on the contract at hand. Even so, we
>require each person to undertake thorough training in security basics and
>client service. We also maintain close links with the IS Department (now
>SIMS) of Monash University
Yes, you state an important point due to the varying nature of security
work, it is very difficult to maintain a level of understanding of security
basics and client service. Similiar to the thread that was of most recent
posting 'Certifying Security Auditors' . Strange how your advertisement
for your company followed shortly after that thread had generated
discussions of creating an Auditing Methodology forum to create standards
within the security auditing industry..??
>I guess that may sound like the claims made by the big N-1 firms! Well, I
>believe that what distinguishes us is our money-back guarantee: if we don't
>give you the results you expect, we will refund your money. This is also the
>theory behind providing the March edition of the Shake Security Journal
> http://www.shake.net ) for free - you can see the quality and decide for
>yourself whether this is the kind of thing you want to subscribe to.
Again, it does sound like the claims made by the Big N-1 firms, but as
always if a customer is not satisified with the services, they can refuse
to pay, so I do not know where your refunding the money is any different.
Overall, I am not thoroughly convinced that your company offers a different
type of services already offered by other people or organizations engaged
in similiar type of work.
You had stated you have been using the Internet since 1989, but yet this is
the first time I have seen a post by you on this list??
Just makes me a little suspicious
>Thank you, Mark, for taking the time to give us your feedback. I hope this
>has cleared up a few things.