Re: Pentester convicted thread

[Erin Carroll <amoeba () amoebazone com>]

Anna, 

With all due respect, you are incorrect in what you are inferring. There
are other lists available which cover the moral, legal, and ethical
aspects of security research and activities. As another member pointed
out, dcstuff at attrition.org or other mailing lists are more appropriate 
venues for that type of discussion. The SecurityFocus pen-test list focus 
is on the technical aspects of pen-testing: new tools, methodologies for 
testing, and tool usage discussions etc. 

As moderator it is my job to keep the posts inline with that focus and
keep my personal bias and opinions out of it. While I personally find the
discussion of the 'pentester convicted' thread very interesting, the
pen-test list is not my personal little kingdom to play god with.  I'm
beholden to the members and contributors to keep the list focused on the
subjects that they signed up for. I am not paid for moderation, this is a 
volunteer effort.

I am always available for input or suggestions and have attempted to
maintain a fairly open and transparent modus operandi when it comes to the
list and its moderation... which is why I approved your post below as
there may be list members who share your concerns and I wanted to address
them publicly. If anyone else has questions or concerns, please don't
hesitate to contact me.

Despite your cynicism, I would very much appreciate being informed of what
issues with the list you are referring to. I don't control the list server
or it's implementations. I don't login to the server or SecurityFocus
boxes to do moderation, it's a remote mod function of the mailist program.
If there is a security issue with it I'm sure that SecurityFocus would
like to know. That being said, there may well be technical or operational
reasons why the flaw exists which would preclude fixing them but I have no
insight into that.


-Erin


On Fri, 12 May 2006, joris wrote:

> the good old, Never bite the hand that is feeding you, reaction.
>
> then i must assume that you also don't want to know about a flaw in the mailing-list system..
> just like your sponsor didnt want to know about theirs.
>
> Night night, dont let the bed bug byte too much.
> *Anna.
>
>
> On Thu, 11 May 2006 16:41:58 -0400 (EDT)
> Erin Carroll <amoeba () amoebazone com> wrote:
>
> > List members,
> >
> > While the 'pentester convicted' thread has generated a *lot* of response
> > and interesting discussion, don't be surprised if I reject posts on it
> > going forward. This is not a blanket rejection of all future posts on the
> > thread as I do think that some of the discussion is relevant and within
> > the list charter. However, at the same time I can't let it devolve into
> > ethical or morality debates, legal verbiage, and flamefests. If your post
> > on this thread is rejected it's not personal, I just didn't see the
> > immediate relevance to the focus of the pen-test list.
> >
> > If you wish to discuss the methodology used and the pros/cons surrounding 
> > how it all went down that's fine and dandy :)
> >
> > Please be aware of the pen-test list charter which can be found at
> > http://www.securityfocus.com/archive/101/description. Though I have been
> > the list moderator for a little over a year now, pen-test is still owned
> > by Al Huger and the fine folks at SecurityFocus. 
> >
> > If you have any questions, comments, concerns, or flames feel free to 
> > email me directly.
> >
> >
> > --
> > Erin Carroll
> > Moderator, SecurityFocus pen-test list
> >
> >
> > ------------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security? 
> > Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
> > Choice Award from eWeek. As attacks through web applications continue to rise, 
> > you need to proactively protect your applications from hackers. Cenzic has the 
> > most comprehensive solutions to meet your application security penetration 
> > testing and vulnerability management needs. You have an option to go with a 
> > managed service (Cenzic ClickToSecure) or an enterprise software 
> > (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
> > help you: http://www.cenzic.com/news_events/wpappsec.php 
> > And, now for a limited time we can do a FREE audit for you to confirm your 
> > results from other product. Contact us at request () cenzic com for details.
> > ------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security? 
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
> Choice Award from eWeek. As attacks through web applications continue to rise, 
> you need to proactively protect your applications from hackers. Cenzic has the 
> most comprehensive solutions to meet your application security penetration 
> testing and vulnerability management needs. You have an option to go with a 
> managed service (Cenzic ClickToSecure) or an enterprise software 
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
> help you: http://www.cenzic.com/news_events/wpappsec.php 
> And, now for a limited time we can do a FREE audit for you to confirm your 
> results from other product. Contact us at request () cenzic com for details.
> ------------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------