Christ, the last time I checked one it just linked to a .gif on the 'security company' web site: They updated the .gif once a day so it listed the current date. You could stick 'em all over the place even if you WERE the hacker.

Macafee's website verification system is buggy... Like a lot of their other software.

I work for an ISP that includes the Macafee securty suite, the number of times it doesnt install correctly from the CD meaning that customers dont get updates after 14 days is crazy.

Almost as crazy as the number of times I've tried to get them to install it from their website, only to be told by its download manager "There are no programs to install".

Any program that makes you run a downloaded tool as a part of its recommended uninstall proceedure (and doesnt bother to tell you about it unless you look specificaly at the how to uninstall page on their website) shouldnt be anyones first choice.

A Hacker could feel right at home there..

From a program that when you click on the link hot it works: http://www.scanalert.com/site/en/certification/howitworks/ consists of a document advising the best place to place the hacker safe image on your site for marketing benefits, rather than a synopsis of how it ensure your site is safe.....

FFS.

The technical details are interesting too and raise some questions:

http://www.scanalert.com/site/en/security/howwescan/

"Accurately determining which ports on an IP address are open is the crucial first step to a comprehensive security audit. ... This is often not a simple process."

Is it really that complex a task to scan for open ports? People who can't do this stuff themselves probably shouldn't be connecting a server to the internet.

"McAfee's patent pending security auditing technology allows the HACKER SAFE mark to appear only when a web site's current security status meets the highest published government standards"

What are these "highest published government standards", and which government is under discussion? Also, what is this "patent pending security auditing technology" except some kind of easily-spoofed web serving of an image based on its referrer?

This doesn't surprise me at all; nor, would I imagine, will it come as a shock to anyone who has had any professional dealings with a "Hacker Safe" site.

At my previous workplace, a collegue (who I'm sure is reading this - Hi, Dave!) was responsible for security audits on potential business partners' websites. One had passed the "hacker safe" tests and proudly displayed the logo on their site, yet he discovered the site itself and the processes in place behind it were laughable.

When you logged out of the site, it displayed a message reminding you of what your password was for the next time you visisted. Their policy regarding changing passwords was that the customer could email them with details of what they wanted their new password to be. All this was sent and stored in plain text. This was right up, in your face - you couldn't fail to notice this, yet someone at McAfee decided to still issue the "Hacker Safe" certificate.

And this was before we even got to the application errors, XSS, DoS opportunities, configuration files and information being left out in the open - and on a site storing VERY personal data as well. It just goes to show that whatever tests go on to certify a site as being "Hacker Safe", they're a joke at best; and incredibly damaging at worst.

Paris, because her "box" has probably been rooted less than many Hacker Safe sites.

I've got a highly visible sticker on my bike that says 'Coded Cycle'. Is the bike coded or not? Who's to tell.

"Hacker Safe" -- is that a guarantee or an invite?

Mine's the one with 'security protected' on the back

I have a customer that subscribes to the HackerSafe service for his own peace of mind, it did find one (albeit blatant) XSS vulnerability I had missed in a piece of OSS we were using on his site. The problem isn't that HackerSafe doesn't test for XSS at all, it just can't test for all the possible variations (and thus only finds XSS exploits fitting a specific pattern).

HackerSafe is not a substitute for proper security precautions, I think it's safe to assume that no software is.

A quick Google for

<script src=http://www.nihaorr1.com hackersafe

shows three sites that were victims of SQL injection yet subscribe to Hacker Safe.

Currently the Hacker Safe logo shows as a blank space. But the link is still there on the page. Is this really adequate for the customer – the hackersafe logo or a blank? If a site fails to respond surely the image should become “Warning unsafe site”.

I wonder what sort of warning McAfee provided. Certainly these sites failed to modify their code and suffered the consequences.

This reminds me of a blog posting regarding a new PCI complience test that is reportedly 100% as effective as other leading PCI complience tests out there, but totally free of charge. The blog is here: http://jeremiahgrossman.blogspot.com/2008/04/my-blog-is-pci-certified-by-scanless.html and the offering is from the guys at: http://www.scanlesspci.com/ ScanlessPCI.

(As reported on Mike Rothmans blog on.....April the 2nd (A day late because of his hate of April 1st)....http://securityincite.com/blog)

(Paris, because McAfee makes your computer as open as....)

So you're an IT expert and actually sat in front of the machine and know everything about it. Can you certify the machine as 'hacker safe'? Certainly not. Now how the hell is an automated script, that is run by a third party who knows little or nothing about your site, supposed to do any better, or even match your own evaluation of the system's security.

The 'Hacker Safe' premise appeals to retards. I suppose that since nowadays retards go shopping online that is all that matters, but nothing a script can do can properly validate the security of a web site. Does the script check the company's garbage for credit card slips and other compromising data? I think not. Does it probe the system for previously unknown vulnerabilities? Doubtful.

In any case, the very name "Hacker Safe" is moronic. Security is always relative and never absolute as the name implies. Just as there isn't a lock in the world that can't at least theoretically be picked, IT security is always a measure of how difficult it is to break into a system, not a question whether it is possible at all.

"The point of the "Hacker Safe" certification is to announce that the server cannot be accessed by unauthorized "hackers", therefore submitting your credit card and personal details in the transaction is safe, as it will be stored in a purportedly secure environment."

Nope, sorry, this is still totally wrong. A successful XSS attack can be used to gain access to a server and elevate privileges. It's not "just" a defacement vector.

Also, as I mentioned before, I've seen the results from a security audit on a "hacker safe" site, and it was a joke. There is no way I would ever let that site process my credit card details, or store any kind of personal information.

WTF were these nitwits in 05/06, when XSS "grew up"?

For all you gullible customers of HackerSafe processing credit cards (all of them?), the PCI DSS *cares* about XSS, so you'd best get to work closing those holes...and by the way, you're NOT HackerSafe and you're wasting your money.