RE: My Frustrations

["THOMAS, DEDRIC (ATTCLSMA)" <dt7089 () att com>]

I too understand all your frustrations and gripes, the true question is "What 
is considered a TRUE PEN-TESTER?  We all have our expertise in a particular 
forum and need assistance at times, but to leverage a forum that is truly for 
informational and discussion based theories I believe is "SAD" and in itself 
highlights your inability to do your job.  Not saying everyone should know 
everything, but you should take enough pride in becoming an ethical hacker to 
know that if you need help, solicit assistance from those who may be smarter 
than the average bear....lol...There's no way in this Industry, that if I'm 
having issues with a particular exploit that I would post that on a Public 
forum for someone to socially engineer my potential issues.  Only time will 
separate the Geeks from the Wanna-be's, and if you are really a geek, you get 
a high from the challenge of engineering or hacking an exploit, and you don't 
want to share that with no one!!!

Have a Geek Day!  :-)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On 
Behalf Of Nick Besant
Sent: Thursday, December 18, 2008 3:58 PM
To: H D Moore
Cc: pen-test () securityfocus com
Subject: Re: My Frustrations

H D Moore wrote:
> On Wednesday 17 December 2008, Adriel T. Desautels wrote:
>
> > I recently wrote this blog entry and wanted to get some comments from
> > readers of this list. I'm frustrated with the caliber of the people
> > that are offering security services and posing as experts, thats the
> > subject of the post. Please comment, insult, whatever... I'm
> > interested.
>
> I agree with it for the most part - half the questions posed to this list
> would immediately disqualify the person as an expert, let alone a
> professional. The experienced folks tend to just post announcements or
> reply back to the former group. I would love to see this list turn back
> into real discussions of pen-testing challenges, but publicly asking for
> help on a job as reputation-centric as pen-testing carries a stigma of its
> own. The last thing you want a potential client to see is your lead pen-
> tester asking for help on a SQL injection vulnerability.
>
> I really don't see a way forward.
>
> -HD

I think an important issue is that many of the people posting those
questions to the list are failing to avoid the trap of performing purely
subjective assessments.  Pen-testing still retains some aspects of a
black art to many, including clients; as tools and "for dummies" guides
proliferate and such tools become easier to use, it becomes easy for
those with minimal experience to put forth a seemingly convincing sales
pitch.

This includes established professional services organisations and
consultancies as well as smaller establishments;  I have seen reports
from these organisations that are very much the reformatted Nessus
output referred to in earlier responses.

With this in mind I agree that there is no obvious way forward - unless
some useful, international, easy-to-use, low-cost regulatory body were
to suddenly pop into existence, perhaps.

--
Nick




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Attachment: smime.p7s
Description: