Penetration Testing mailing list archives
FW: My Frustrations
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 18 Dec 2008 15:36:36 -0800
H.D. if you don't want clients checking up on postings then use a pseudonym, preferably one that you hold a little close. I don't makeabig deal about hiding behind this one. I jsut use it to show that my postings are personal and not on behalf of my employer. Another alternative to the issue is to have closed lists where the participants are vetted. I'm on a few of those and they vary in quality as well... go figure.
Putting on my non-moderator hat for a change... Sometimes we forget that there are some 15k+ subscribed list members with a wide range of backgrounds and expertise. From well-known experts and practicing professional such as HD, Dave, Adriel, etc, to 13yr old script kiddies or novices just interested in pen-testing in general. I'm not ashamed to admit that my code analysis skills are weak and to ask questions around that aspect or rely on advice from people like HD and others who have a better grasp on those things. My expertise is slanted towards other realms. That said, there are many posts I've let through where it's apparent someone is in above their heads in an area where they are representing themselves as a expert. As a moderator, my job is to keep discussions flowing and relevant to pen-testing. As a security professional, I shudder with horror at the things some people ask. As Adriel said, the real problem is when a supposed expert is looking for help on something that is so basic that you wonder how they got the contract at all. It devalues the work of the real experts and fosters a false sense of security. The responses to such questions (qualification issue aside) are useful for list members whose expertise or background isn't in that particular area and spreads Clue to those readers. Lack of knowledge isn't a bad thing, we're all here to learn _something_. Misrepresenting your expertise I believe is a very Bad Thing... but it happens and they land clients who are ill-served and might not realize it. The only feasible solution I see is to educate clients so they can tell the wheat from the chaff. How to do so across the industry is a vexing question. I don't think regulatory bodies would work. I don't think certifications work. They can be good indicators of actual expertise but, as many others have pointed out, are not in and of themselves guarantees of qualification for hands-on "doing the work". So far there is no replacement for word of mouth. Erin Carroll CTO & Vice President | iVOLUTION Security Technologies ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: My Frustrations, (continued)
- Re: My Frustrations Adriel T. Desautels (Dec 23)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- RE: My Frustrations Sat Jagat Singh (Dec 19)
- Re: My Frustrations Pete Herzog (Dec 20)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- RE: My Frustrations Shenk, Jerry A (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 19)