Looks like the discussion is taking a different direction. Thank you. Shyaam
On Jan 7, 2012, at 7:37 PM, Ferenc Kovacs <[email protected]> wrote: > > > On Sun, Jan 8, 2012 at 1:24 AM, Laurelai <[email protected]> wrote: > On 1/7/12 6:20 PM, [email protected] wrote: > On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said: > Because they pay the kids to own them in a safe manner to show that > It's not as simple as all that. A good pen-tester needs more skills than just > how to pwn a server. You need some business smarts, and you need to be *very* > careful about writing the rules of engagement (some pen tests that involve > physical attacks can literally get you shot at if you screw this part up), and > then *sticking with them* (you find a major social engineering problem while > doing a black-box test of some front-end servers, you better re-negotiate > those > rules of engagement before you do anything else). Also, once a pen test > starts, you can't take your time and poke it with the 3 or 4 types of attacks > that you're good at - you have 3 weeks starting at 8AM Monday to hit it with > 37 different classes of attacks they're likely to see and another 61 types > of attacks they're not likely to see and aren't expecting. And be prepared to > work any one of those 94 from "looks like might be an issue" to something you > can put in a report and say "You Have A Problem". > > Almost no company is stupid enough to hire a pen testing team without that > team > posting a good-sized performance bond in case of a screw-up taking out a > server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you > *already* caught them stealing the data once :) > > And the kids are going to land a $1M performance bond, how? > > (Hint - think this through. Really good pentesters make *really* good bucks. > If those kiddies had what it took to be good pentesters, they'd already be > making bucks as pentesters, not as kiddies) > > their so called expertsd are full of shit, then they fire said experts > and hire competent people saving time money and resources, try and > Doesn't scale, because there's not enough competent people out there. There's > 140 million .coms, there aren't 140 million security experts out there. > > It's not a new idea - I've heard it every year or two since probably before > most of the people on this list were born. The fact that almost no companies > actually *do* it, and that those hackers who have successfully crossed over to > consulting are rare enough that you can name most of them, should tell you > something about how well it ends up working in practice. > > Well enjoy your doomed industry then. Ill continue to take great pleasure as > the so called experts get owned by teenagers. > > imo public shaming(ie. owned by kiddies, usually they get bigger media > attention) can force companies to take security more seriously, but imo > hiring the kiddies isn't the solution. > even if he/she happens to be the "superstar", who given the chance would be > able to secure your infrastructure, but the industry is rotten mostly because > it-sec isn't as high priority as it should be. > it is an added-value, usually bolted-on top of the screwed up legacy > processes/softwares, and the higher-ups expect it to be bought by money alone. > they would pay for the cert, they would pay for the hacker-proof seal, they > would pay for the insurance, and the decent looking it-security consulant > company, but they won't change the flawed processes, and the bad priorities. > of course many of them will get owned, lose a good chunk of money, some of > them even will go out of business, but until most of them can get away with > those broken model, they won't try to fix the underlying problem. > > -- > Ferenc Kovács > @Tyr43l - http://tyrael.hu > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
