Dailydave mailing list archives
Where the Wild Things Are
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 24 Jan 2007 18:59:56 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday over Belgian food (oddly enough) we had a conversation like this: A: So, the next two days of class should teach us to be better penetration testers? B: Well, it'll teach you how to be a better hacker. That's not the same thing, but it will either make you a better penetration tester or just a more interesting person. A: So what's the difference between hacking and penetration testing? This is one of those questions that you can have really long boring threads on, like the iPhone thread, but which is still quite a good question. I think the "difference between Vulnerability Assessment and Penetration Testing" is a lot easier. If you stop after you find the first bug, it's a penetration test. If you try to find all the bugs in a system, it's a vulnerability assessment. Easy. But penetration testing and hacking are much more similar, and yet completely different in some way, like the difference between pancakes and crepes (It's breakfast time here in Singapore). First of all, there's covertness. It's no mistake that CANVAS had covertness as a giant part of the UI from almost day 1. Covertness requires infrastructure - an insane amount of infrastructure. (For example, hacking requires that you fly around the world teaching people to hack just like you, so that you gain some anonymity. :>) There's a reason good hackers search out other good hackers to hang with - and it's not because they're naturally social beasts. It's because the job is really massive if you're going to do it right. The exploits have to be...insanely good. The toolset required is huge and changes constantly. As protective technology improves, you need to start building specialized debuggers, binary analysis, and statistical analysis tools. This isn't cheap, which means now you need business and organizational skills. And eventually this level needs to trickle down to penetration testers. Penetration testing used to be one of the simplest things in security. You portscanned, you downloaded tools from the internet, you ran them. These days it's a lot harder, but still nothing compared to the needs of a hacker. Non-the-less, the hacker does have a few things going for them. In particular, two major things: Scope, and Time. There's no such thing as scope to a hacker, and if they need to own your entire ISP to get one step closer to you, they will. Makes MITM attacks easier. And a hacker can watch their prey over long periods of time. You'll have 3 system administrators before the hacker gives up watching you. All hunters have patience. Speaking of hunters, tonight I'm headed to the "Night Zoo" with Thomas Lim to see some of the original creatures of Singapore. You gotta take your nature where you can find it. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFt/L6tehAhL0gheoRApNJAJwJYs4EkXoXTqWgw/CFgE+EKsQ0agCeOtao ByhLgOa6BwPkblV2GDPMIMg= =EMtA -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Where the Wild Things Are Dave Aitel (Jan 24)