Penetration Testing mailing list archives
RE: felons as pentesters
From: "Mark Brunner" <kohi10 () rogers com>
Date: Wed, 8 Dec 2010 19:54:51 -0500
J. Feel free to have an opinion, misguided or otherwise. BTW, cybercrime? It's just plain old crime. All that has changed is the vehicle. Why not an FBI agent. Temptation is everywhere, and few are immune. If the return was right, the risk appeared low, and the probability of success was positive, even a saint can be tempted! I wouldn't hire a known child molester to look after my granddaughter, I won't hire a proven thief to manage my stock portfolio, and if I have a choice between a convicted felon and someone with a clean record, I am going to take a chance on the unknown quantity, and add to the mix my best preventive controls and detective measures. As soon as the people listed below decided to commit crime, hurt someone, damage something not their own, they became wolves. That is my 2¢ and humorous, misguided opinion, be the first on your block to collect all ten! M. Brunner Information Security Manager & Consultant Greater Toronto Area, Ontario Canada -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of J. Oquendo Sent: Tuesday, December 07, 2010 9:27 AM To: Mark Brunner; pen-test Subject: Re: felons as pentesters On 12/4/2010 2:25 PM, Mark Brunner wrote:
Using wolves to herd sheep is probably counter-productive. Unless those wolves come with an iron-clad guarantee and a commitment from a reputable and solvent company that will compensate for or replace any missing
sheep...
Can your rehabilitated wolf do that? Probably not. Best pursue a
position
less "interesting".
This is a humorous and misguided comment, sorry - that's my opinion. I implore you and anyone else to take a look around at 1/3rd of the "cybercrimes" committed (I say one third because its easy pickins). Ready? (http://en.wikipedia.org/wiki/Lies,_damned_lies,_and_statistics) If we do some quick math, of the 12 cases that immediately sprout up on Cybercrime.gov, you should be fearing normal individuals more than you should be fearing a "convicted" felon with regards to "cybercrime." In fact, not ONE CASE on that site mentions ANYONE as having "former record"
From http://www.cybercrime.gov/cc.html
OMG, even an FBI agent... United States Attorney Jane J. Boyle announced that a federal grand jury in Dallas returned a ten-count indictment today charging Lancaster, Texas, resident, Jeffrey D. Fudge, with various felony charges related to the misuse of his position of trust as a Federal Bureau of Investigation (FBI) investigative analyst. http://www.cybercrime.gov/fudgeIndict.htm Not wolves, trusted insiders... According to the indictment, Camp and Fowler developed a computer virus, which they used to infect UCM computers including an attempt to infect the computer used by the universitys president. Not a wolf a normal ordinary person... David C. Kernell, 23, today was sentenced to one year and one day in prison for intentionally accessing without authorization the e-mail account of former Alaska governor Sarah Palin and obstruction of justice, Not a wolf a normal person... charged Frost with causing damage to a protected computer system and possessing 15 or more unauthorized access devices. Not a wolf... normal person... On June 29, 2010, Darnell H. Albert-El, 53, of Richmond, pleaded guilty to one count of intentionally damaging a protected computer without authorization. Albert-El was sentenced today by Senior U.S. District Judge Robert E. Payne in the Eastern Not a wolf, normal employee Makwanas laptop and other evidence, revealed that Makwana had transmitted the malicious code on October 24, 2008 which was intended to execute on January 31, 2009. The malicious code was designed to propagate throughout the Fannie Mae network of computers and destroy all data, including financial, securities and mortgage information. Not a wolf, normal employee/insider Bruce Raisley, 49, of Kansas City, Mo. formerly of Monaca, Pa. following a six-day trial before United States District Judge Robert B. Kugler in Camden. Raisley was convicted of the count charged in the Indictment on which he was tried: launching a malicious computer program designed to attack computers and Internet websites, causing damages. Not a wolf normal person... DANIEL CHRISTOPHER LEONARD, 32, of Olympia, Washington, pleaded guilty today in U.S. District Court in Tacoma to one count of cyber-stalking and four counts of making threatening communications. ... Many of the victims altered their lives because of the phone calls; quitting jobs, moving, and altering their activities because of the threatening and harassing calls. Many cancelled their cell phone numbers, only to start receiving the calls at home or at work. Not a wolf, normal employee/insider Shelnutt was a former CariNet employee. Between October 2008 and November 9, 2008, Shelnutt repeatedly accessed CariNets computer network without authorization and caused damage. So back to this theory/notion about felons and cybercrime, of all the cases listed on that site, do the breakdown of "repeat offenders" as opposed to making misguided comments "omg they will always be vile, vicious attackers who can't be trusted!" I guarantee you that you have more to fear from normal individuals than you do from someone with a felony. This is NOT TO SAY that there aren't bad apples but the reality is, bad apples fall everywhere period. *DISCLAIMER - it should come as no surprise to most who recognize my name that I was convicted of a "cybercrime" and spent 27 months in club fed. Guess what, life goes on. I currently work at a company where I've been for 5 years. I have access to over 150 million (that's million) customer records and accounts. "Shocking!; the notion that people move on with life and progress positively." Am I an enigma/anomaly? In my current position I'm *always* vigilant against *ANYTHING* and EVERYTHING that occurs including virus and malware outbreaks. From my perspective, I'd be the first targeted/looked at it something were to occur, so I do my damnest to ensure that *NOTHING* occurs. I do my best to make sure *EVERYTHING IS DOCUMENTED*, and there is full auditing and accounting across the board. I do this for various reasons 1) should something occur, (as I stated) I'd be the first to be looked at 2) I'm very well aware of the attack vectors and vulnerabilities blackhats are looking for 3) I make sure everything I do is cross-checked/referenced/logged and audited for my OWN safety/security People are people period and all of this "not in my backyard" is hypocrisy at best. What's that saying: "Let he who is without sin cast the first stone." ... I know of PLENTY of individuals in this industry who have skated a felony record by turning on their family, friends, etc., and they are in positions of "great trust" and I often scratch my head at others' ignorance when it comes to this matter. As a security professional, my PERSONAL goals are 1) to be the best that I can be 2) to ensure that the things I do are accounted for, audited 3) ensure wherever I am employed is provided with the utmost security I can provide/learn/give/design. That's just me though. So back to that statement: "Why would I trust a wolf with sheep..." I say "why would you trust ANYONE/THING with ANYONE/THING without keeping a close eye. You'd be the idiot to allow checks and balances to be missed/overlooked. While you're watching/fearing a felon, its often going to be someone innocuous that's going to be the "troublemaker." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- felons as pentesters amir shadrazar (Dec 02)
- Re: felons as pentesters ByteWise (Dec 03)
- Re: felons as pentesters AK (Dec 03)
- Re: felons as pentesters J. Oquendo (Dec 03)
- RE: felons as pentesters Mark Brunner (Dec 06)
- Re: felons as pentesters J. Oquendo (Dec 07)
- RE: felons as pentesters Mark Brunner (Dec 10)
- RE: felons as pentesters Kevin L. Shaw, CISSP, GCIH, GPEN (Dec 10)
- Re: felons as pentesters jc (Dec 10)
- RE: felons as pentesters Mark Brunner (Dec 06)
- Re: felons as pentesters Kevin L. Shaw, CISSP, GCIH, GPEN (Dec 07)
- Re: felons as pentesters The Doctor (Dec 10)