Penetration Testing mailing list archives
Re: Professional Scrpt Kiddies vs Real Talent
From: Eric Milam <emilam () coretechsg com>
Date: Tue, 09 Mar 2010 08:28:27 -0800
I think it is important to note that these days there is beginning to be a greater divide in the Security field. Just like in the early 90's when a "Computer Guy" did pretty much everything, specific roles began to be created and specializations were weeded out. Now a days we have the same thing going on in our field. At least at a more direct level than before. I use BT for my PT's and use a lot of tools. I have written only one tool myself. I don't consider myself a script kiddie, because of my mental state. I am a professional that uses the tools provided to get a true assessment of whats going on. I test the output from those tools and try to stretch it into other things that an automated tool will not catch. That being said, I don't set up a full lab and try to install every piece of software I find on a customer system. (Though I did do this once one night with Tomcat for a PT) Not because I don't want to, but because we don't really have the time. Our PT's last one week and then one week to write up the report...so we don't get to do as much as we want. That doesn't make us any less diligent and definitely doesn't make us script kiddies. Remember script kiddies use tools without any real knowledge or wanting to understand how they work. That is the difference between a professional and an SK. A pro uses the right tools, looks for new tools and use them appropriately. An SK doesn't give a crap! Thanks, Eric On Mon, 2010-03-08 at 23:55 -0600, Omar Herrera wrote:
Hi Adriel, I agree that you have script kiddies on both ends, but this is the nature of humans. You get you car these days to the mechanic and most of them run some kind of scanner without understanding the inner details, look at the report, replace the parts and that's it. They do what they were trained for, nothing more or nothing else, and sometimes, that's just what it's needed. We got scientists and experts that claim to know the ultimate truth, just to get debunked by the next generation of great scientists and experts in an endless loop. Now, don't take me wrong, but look at one of your statements: " I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company? " I disagree with this :-), a deep technical understanding is not the only way to security in my opinion. I think we can also learn a lot about security risks from analysing things like business processes and human behaviour. The people you list do deserve to be highly respected in the informations sector, but so do others that have chosen different paths from technical nirvana. I do understand your feelings for people that claim to be something that they are not, but we have created this by alienating any newbie that comes to these forums (just for lack of knowledge or asking wrong questions). We tend to have heated discussions around philosophical issues that don't have a single answer, and let our egos flourish as soon as we feel we have grasped enough knowledge to consider ourselves experts. I don't blame newcomers for opting to take the easy path after getting a few beatings for asking for knowledge and then getting blamed for this (they probably don't even care). Honestly, they are not the problem, we are. We try so hard to make this an elite and closed circle that we forget about our true goals. Regards, Omar Adriel Desautels escribió:Posted on: http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html Comments, insults, etc. on the blog (or here) are more than welcome. -- The Good Guys in the security world are no different from the Bad Guys; most of them are nothing more than glorified Script Kiddies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as actual hackers. This is true for both sides of the proverbial Black and White hat coin. In the Black Hat world, you have script-kids who download programs that are written by other people then use those programs to “hack” into networks. The White Hat’s do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they’re actually paying for the pretty GUI, who knows? What is pitiable is that in just about all cases these script kiddies have no idea what the programs actually do. Sometimes that’s because they don’t bother to look at the code, but most of the time its because they just can’t understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn’t. This is part of the reason why I feel that it is so important for any professional security services provider to maintain an active research team. I’m not talking about doing market research and pretending that its security research like so many security companies do. I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company? I am very proud to say that Everything Channel recently released the 2010 CRN Security Researchers list and that Netragard’s Kevin Finisterre was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned, these are the top security experts: * Dino Dai Zovi * Kevin Finisterre * Landon Fuller * Robert Graham * Jeremiah Grossman * Larry Highsmith * Billy Hoffman * Mikko Hypponen * Dan Kaminsky * Paul Kocher * Nate Lawson * David Litchfield * Charles Miller * Jeff Moss * Jose Nazario * Joanna Rutkowska In the end I suppose it all boils down to what the customer wants. Some customers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, you’ve come to the right place.------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Professional Scrpt Kiddies vs Real Talent, (continued)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 09)
- RE: Professional Scrpt Kiddies vs Real Talent Craig S. Wright (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Wim Remes (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Vikram Dhillon (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent Omar Herrera (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent 5.K1dd (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent R. DuFresne (Mar 18)
- Re: Professional Scrpt Kiddies vs Real Talent trains (Mar 23)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Eric Milam (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Mike (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Steve Pinkham (Mar 15)