<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>No, go read Secreview’s responses to negative comments on
his amusing blog. He won’t change a review based on an opposing opinion.
The emails, blog, and his small cadre of fans remind me of Steve Gibson
lol. He has nothing on the blog to suggest he has any qualifications. When
asked what his scoring system is he responded ‘its just like school, A is
great, F fails.’ What a system, its so well articulated and unbiased that
anyone who reviews one of the security companies Secreview surfs will come up
with the same score.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk]
<b>On Behalf Of </b>Mike Vasquez<br>
<b>Sent:</b> Thursday, December 20, 2007 8:17 PM<br>
<b>To:</b> Sec Review Sucks<br>
<b>Cc:</b> full-disclosure@lists.grok.org.uk<br>
<b>Subject:</b> Re: [Full-disclosure] [Professional IT Security Reviewers -
Exposed] SecReview ( F - )<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>What I really want to know, is
if a past customer (err - reader?) of sec review surfaces with a negative
opinion of them, will you adjust your grade accordingly? <br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Dec 20, 2007 1:20 PM, Sec Review Sucks < <a
href="mailto:secreview.exposed@gmail.com">secreview.exposed@gmail.com</a>>
wrote:<o:p></o:p></p>
<p class=MsoNormal>This rating is based entirely off my personal feelings after
reading several of the emails you've sent out to the Full Disclosure
list. I bring up the following as my reasoning: <br>
<br>
1.) What are your qualifications for reviewing these companies? <br>
2.) Your criteria for review is clearly flawed. Reviewing marketing
material, websites, etc. is just ridiculous. Typically these are not
created by the security team itself, but instead the marketing department for a
company. You only just mentioned that you started reviewing sample
reports, and that not all companies are willing to provide these. How
could you possibly review a company WITHOUT a sample report at the minimum? <br>
3.) What is your scoring system? Do you even have one?<br>
4.) If company A does not submit themselves for review, and therefore will not
provide you with the information you need to review them, do they get a lower
score? <br>
<br>
In any case, a consulting company provides far more then simply a marketing
site and sample deliverables. Unless you can survey a companies
customers, I don't see how you could ever make a reasonably accurate
assumption. Therefore, I rate SecReview as an F-. <br>
<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html"
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html </a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>