lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 07 Jan 2012 18:24:04 -0600
From: Laurelai <laurelai@...echan.org>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

On 1/7/12 6:20 PM, Valdis.Kletnieks@...edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
>
> Almost no company is stupid enough to hire a pen testing team without that team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
>
> And the kids are going to land a $1M performance bond, how?
>
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
>
>> their so called expertsd are full of shit, then they fire said experts
>> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
>
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
>
Well enjoy your doomed industry then. Ill continue to take great 
pleasure as the so called experts get owned by teenagers.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ