[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060217112829.GA32056@eltex.net>
Date: Fri, 17 Feb 2006 14:28:29 +0300
From: ArkanoiD <ark@...ex.net>
To: Craig Wright <cwright@...syd.com.au>
Cc: self-destruction@...best.com, bugtraq@...urityfocus.com,
mjr@...um.com
Subject: Re: Vulnerabilites in new laws on computer hacking
nuqneH,
I'd even say, if you hire someone whose security knowledge is based solely
on breaking into systems, this guy will not able to produce valuable reports
for customers because his viewpoint is likely to be flawed; his knowledge on
protecting system usually falls into "patch-this-hole" pattern, not risk
assessment and secure design.
Not always (well, i myself was a very bad guy years ago), but i think it
is the main reason of big IT security companies policy "we do not hire hackers" -
not because they you cannot trust them - that is not true, they often have
a kind of own ethics strong enough - but just because they are almost useless.
There are exceptions, sure.
On Thu, Feb 16, 2006 at 08:54:51AM +1100, Craig Wright wrote:
> "If you hire someone that has never broken into a system, this guy will
> not be able to produce valuable reports for customers because he will
> not be able to find vulnerabilities that can't be found running a
> scanner."
>
> The quote above is wrong. Empirically and categorically wrong. This is a
> case of blind assertion with no proof let alone evidence. Lets look at
> things a little scientifically. For all you hope to demonstrate with
> this style of pen. test you are only as effective at best as a poorly
> run hands on vulnerability based risk assessment.
Powered by blists - more mailing lists