The company "Verizon" is completely different than the company Verizon Wireless.
Isn't it Verizon Wireless who has the "can you hear me now" catch phrase? If so , you are comparing oranges to tangelos with all your dumb "can you hear me now" jokes.
I was a beta tester for the LightScribe program and have one of the external burners. Here are some answers about MY experience.
1) There are 3 different modes/quality settings for burning the graphic. Good/Better/Best. The "BEST" setting is the darkest, and takes around 45 minutes for a good graphic. Pure text is quicker. And the "good" setting burns really quick with just plain text.
2) I forget the software provided - but it's a basic label making software package that usually prints on Avery labels. It is pretty powerful and easy to use. Easy to import graphics, manipulate text, etc. Works with any font you have. And even comes with about 30-50 "built in" designs that are soft of cheezy - but look good.
3) The media is "special". No idea of cost. My big complaint was that the print able service was GOLD. So, the dark didnt show up as well as I had hoped it would. If the top was silver or white it would be alot cooler. Hopefully they figure out a way to do that.
4) The external burner is either FIREWIRE or USB2. It is a CDRW burner. It is also a 4x (single layer) DVD burner. Mine is external and BLACK - comes with a seperate power supply cord that is nice and small. I never tried it in Linux, sorry.
5) Right now , the media is CDR only. But when I asked about DVDR media in LightScribe format I was not greeted with "no, way". But instead I was informed that if the media became available during beta testing, they would send it. That sort of tells me its in the works.
Burning: The only problem I ever had was burning some DVDR images using Nero. I dont know why it didnt work. Got to 99.9% done and never finished. The problem eventually fixed itself. Everything worked perfectly with the provided software.
Overall (This is what I told HP as well):
I was happy with the device and would continue to use is AS LONG as the media wasn't TOO pricey.
The burning of the image takes too long - but for CDs that I REALLY care about - I am willing to wait. But I wouldnt use the fancy light-scribe media for all the crap I burn and only use once or twice.
I dis-agree just a LITTLE bit about what the first step should be. I agree 2000% that all companies should have policies/procedures/standards.
But this guy HAS been penetrated. And could STILL be penetrated. At this point he needs to put out of the fires (make sure he isn't STILL being penetrated) and also make sure he cant catch on fire again next week. I think a REAL penetration-test (NOT using some Tool... using REAL penetration-testers!) is the first step.
Fix the holes found ASAP. *THEN* jump into the policies/standards/procudures to prevent this stuff from happening in the future. You CANNOT just do one, or the other, it will not work in the long-run.
On #3 - About the "script-fu". We have people asking for this service all the time.
SOMETIMES we allow people to WATCH what we do - and WATCH our script-fu in action. But we will never provide them with it.
If you expect the company to hand-over it's kung-fu - dont expect too many top-of-the-line people to reply. But be warned, when someone is watching me do a pen-test/vulnerability accessment it slows me down A LOT! Especially if they are always asking questions or trying to place blame! If the person WATCHING has the wrong-idea about the tests, it can do more damage than good.
I recently saw a E&Y "report" for a "pen-test". It was 300 pages. Full of false positives. And looked very "canned".
It had some great stuff in it - but it was impossible to ACT upon (as a manager) because of lack-of-risk ratings etc. Also, none of the findings related to business risk at all. It was PURELY technically.
This type of report can be useful if you have a swarm of techie managers to divy up the report to the proper people. This is hardly ever the case.
Your right, they do release ALL info to the vendor (as they are supposed to - so thats no big deal. Thats like congratulating yourself for taking care of your kids and not going to jail)
As for ISS having no responsibility to make it easy for crackers...... thats exactly my point. If OTHER people hadn't done this where would ISS be? If OTHER people hadn't released ALL info, ISS would have to research ALL vulnerabilities until they find the REAL INDEPTH problem. That would cost them a whole hell of alot more money (more people, more resources). You cannot tell me that ISS discovered all the vulnerabilities they search for in their software themselves. Its a simple case of being a leech... I cant say I blame them , it makes their company more marketable ( afterall this way, they have vulnerability information that no other company has... once again, sounds like something Microsoft would do)
Heh , Maybe you dont understand. My company doesn't make software that is dependant on other peoples disclosed information (we dont make software AT ALL). Also my company doesn't do vulnerability reports! So your 0/2 on accusing my company of doing the same thing ISS does. (and another thing, I'm not posting this as "my company", this is something that personally bothers me) I agree that the ISS reports have SOME worth while value.. from a business standpoint they could be useful to identify risk, etc. But imagine someone (an ISS competitor) who makes a product like ISS Scanner (for example). The ISS reports hardly help them at all. But at the same time ISS doesnt mind getting all the details THEY need from other peoples reports. Its just MICROSOFT'ish. Why DOESN'T ISS do full disclosure? Im not asking for an exploit, just COMPLETE full disclosure. I.E. Show me the line of code that is wrong. -Minga
Question for l0pht: 1) What are your all's opinions about non-full-disclosure companies making money off of full-disclosure vulnerability reports? A very important example is that of ISS (http://www.iss.net/). They made millions from the sale of their products like RealSecure and Security Scanner. These programs obviously check for vulnerabilities that were once posted on full-disclosure lists/pages. ISS is ABSOLUTELY DEPENDANT on this information... But when it comes time for ISS to report on vulnerabilities they have found (via X-FORCE) they release the most poor excuse for a vulnerability report I've even seen. A person cannot get any USEFUL information from them at all. Things like "There is a buffer overflow in BLAH version x.xx" And thats all the detail they give. What if every company/group did this? ISS wouldn't even have a worth wild scanner/detector at all! Do you all feel that ISS is doing anything wrong?
Slashdot Mirror
The company "Verizon" is completely different than
the company Verizon Wireless.
Isn't it Verizon Wireless who has the "can you hear me now" catch phrase? If so , you are
comparing oranges to tangelos with all your dumb "can you hear me now" jokes.
I was a beta tester for the LightScribe program and have one of the external burners. Here are some answers about MY experience.
1) There are 3 different modes/quality settings for burning the graphic. Good/Better/Best. The "BEST" setting is the darkest, and takes around 45 minutes for a good graphic. Pure text is quicker. And the "good" setting burns really quick with just plain text.
2) I forget the software provided - but it's a basic label making software package that usually prints on Avery labels. It is pretty powerful and easy to use. Easy to import graphics, manipulate text, etc. Works with any font you have. And even comes with about 30-50 "built in" designs that are soft of cheezy - but look good.
3) The media is "special". No idea of cost. My big complaint was that the print able service was GOLD. So, the dark didnt show up as well as I had hoped it would. If the top was silver or white it would be alot cooler. Hopefully they figure out a way to do that.
4) The external burner is either FIREWIRE or USB2. It is a CDRW burner. It is also a 4x (single layer) DVD burner. Mine is external and BLACK - comes with a seperate power supply cord that is nice and small. I never tried it in Linux, sorry.
5) Right now , the media is CDR only. But when I asked about DVDR media in LightScribe format I was not greeted with "no, way". But instead I was informed that if the media became available during beta testing, they would send it. That sort of tells me its in the works.
Burning: The only problem I ever had was burning some DVDR images using Nero. I dont know why it didnt work. Got to 99.9% done and never finished. The problem eventually fixed itself. Everything worked perfectly with the provided software.
Overall (This is what I told HP as well):
I was happy with the device and would continue to use is AS LONG as the media wasn't TOO pricey.
The burning of the image takes too long - but for CDs that I REALLY care about - I am willing to wait. But I wouldnt use the fancy light-scribe media for all the crap I burn and only use once or twice.
I dis-agree just a LITTLE bit about what the first step should be. I agree 2000% that all companies should have policies/procedures/standards.
But this guy HAS been penetrated. And could STILL be penetrated. At this point he needs to put out of the fires (make sure he isn't STILL being penetrated) and also make sure he cant catch on fire again next week. I think a REAL penetration-test (NOT using some Tool... using REAL penetration-testers!) is the first step.
Fix the holes found ASAP. *THEN* jump into the policies/standards/procudures to prevent this stuff from happening in the future. You CANNOT just do one, or the other, it will not work in the long-run.
Otherwise, good post!
On #3 - About the "script-fu". We have people asking for this service all the time.
SOMETIMES we allow people to WATCH what we do - and WATCH our script-fu in action. But we will never provide them with it.
If you expect the company to hand-over it's kung-fu - dont expect too many top-of-the-line people to reply.
But be warned, when someone is watching me do a pen-test/vulnerability accessment it slows me down A LOT! Especially if they are always asking questions or trying to place blame! If the person WATCHING has the wrong-idea about the tests, it can do more damage than good.
I recently saw a E&Y "report" for a "pen-test". It was 300 pages. Full of false positives. And looked
very "canned".
It had some great stuff in it - but it was impossible to ACT upon (as a manager) because of lack-of-risk ratings etc. Also, none of the findings related to business risk at all. It was PURELY technically.
This type of report can be useful if you have a swarm of techie managers to divy up the report to the proper people. This is hardly ever the case.
Your right, they do release ALL info to the vendor (as they are supposed to - so thats no big deal. Thats like congratulating yourself for taking care of your kids and not going to jail)
As for ISS having no responsibility to make it easy for crackers...... thats exactly my point. If OTHER people hadn't done this where would ISS be? If OTHER people hadn't released ALL info, ISS would have to research ALL vulnerabilities until they find the REAL INDEPTH problem. That would cost them a whole hell of alot more money (more people, more resources). You cannot tell me that ISS discovered all the vulnerabilities they search for in their software themselves. Its a simple case of being a leech... I cant say I blame them , it makes their company more marketable ( afterall this way, they have vulnerability information that no other company has... once again, sounds like something Microsoft would do)
-Minga
Heh , Maybe you dont understand. My company doesn't make software that is dependant on other peoples disclosed information (we dont make software AT ALL). Also my company doesn't do vulnerability reports! So your 0/2 on accusing my company of doing the same thing ISS does. (and another thing, I'm not posting this as "my company", this is something that personally bothers me) I agree that the ISS reports have SOME worth while value.. from a business standpoint they could be useful to identify risk, etc. But imagine someone (an ISS competitor) who makes a product like ISS Scanner (for example). The ISS reports hardly help them at all. But at the same time ISS doesnt mind getting all the details THEY need from other peoples reports. Its just MICROSOFT'ish. Why DOESN'T ISS do full disclosure? Im not asking for an exploit, just COMPLETE full disclosure. I.E. Show me the line of code that is wrong. -Minga
Question for l0pht: 1) What are your all's opinions about non-full-disclosure companies making money off of full-disclosure vulnerability reports? A very important example is that of ISS (http://www.iss.net/). They made millions from the sale of their products like RealSecure and Security Scanner. These programs obviously check for vulnerabilities that were once posted on full-disclosure lists/pages. ISS is ABSOLUTELY DEPENDANT on this information... But when it comes time for ISS to report on vulnerabilities they have found (via X-FORCE) they release the most poor excuse for a vulnerability report I've even seen. A person cannot get any USEFUL information from them at all. Things like "There is a buffer overflow in BLAH version x.xx" And thats all the detail they give. What if every company/group did this? ISS wouldn't even have a worth wild scanner/detector at all! Do you all feel that ISS is doing anything wrong?
I almost creamed myself when I read this. My life is now complete. No more switching to Windows just to watch TV.