lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060217112829.GA32056@eltex.net>
Date: Fri, 17 Feb 2006 14:28:29 +0300
From: ArkanoiD <ark@...ex.net>
To: Craig Wright <cwright@...syd.com.au>
Cc: self-destruction@...best.com, bugtraq@...urityfocus.com,
	mjr@...um.com
Subject: Re: Vulnerabilites in new laws on computer hacking


nuqneH,

I'd even say, if you hire someone whose security knowledge is based solely
on breaking into systems, this guy will not able to produce valuable reports
for customers because his viewpoint is likely to be flawed; his knowledge on
protecting system usually falls into "patch-this-hole" pattern, not risk
assessment and secure design. 

Not always (well, i myself was a very bad guy years ago), but i think it
is the main reason of big IT security companies policy "we do not hire hackers" -
not because they you cannot trust them - that is not true, they often have
a kind of own ethics strong enough - but just because they are almost useless.

There are exceptions, sure.

On Thu, Feb 16, 2006 at 08:54:51AM +1100, Craig Wright wrote:

> "If you hire someone that has never broken into a system, this guy will
> not be able to produce valuable reports for customers because he will
> not be able to find vulnerabilities that can't be found running a
> scanner."
> 
> The quote above is wrong. Empirically and categorically wrong. This is a
> case of blind assertion with no proof let alone evidence. Lets look at
> things a little scientifically. For all you hope to demonstrate with
> this style of pen. test you are only as effective at best as a poorly
> run hands on vulnerability based risk assessment. 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ