Penetration Testing mailing list archives
Re: Professional Scrpt Kiddies vs Real Talent
From: Steve Pinkham <steve.pinkham () gmail com>
Date: Fri, 12 Mar 2010 13:34:39 -0500
Mike wrote:
Good discussion, but I feel both are equally important. I mean when I go to the Dr. for an xray the technician doesn't have a CLUE to how the machine works, but he can push a button. The Dr. doesn't have a CLUE to how the machine works either, but he can hopefully interpret the picture and give a proper diagnoses. We all use tools for pentesting and all that matters is that we can accurately and intelligently interpret the data and we don't need to fully understand how the tool works or gathers the data as long as we can make some sense of it. My Physics teacher used to laugh as he was responsible for creating the MRI machine and he said Dr.'s don't know a damn thing about how it works, but they get paid a LOT of money to read the results where I got paid crap for building the tool. Mike
I'm going to have to strongly disagree with your assertion, or at least my understanding of it. A doctor and a technician both need to know a lot about how the machine works so they know the limitations of the machine. Techs also know how to adjust the radiation level to get contrast for different body parts, etc. If you don't know on a functional level how an X-ray machine works, you can't run one, and you can't interpret the results. Here's a very quick overview of the things a radiographer needs to do to take an effective x-ray: http://www.bls.gov/oco/ocos105.htm Now, that doesn't mean there's anything to gain in building your own x-ray machine. Xray machines are mature technologies, and it is common knowledge in the field what they can find and cannot find. We know how to tune them to get the desired results. They aren't black boxes just a simple on button however. Doctors and techs also know a lot about MRI machines in similar ways. Yes, they might not understand all about the physics, but they know what the machine can detect, what it can't, and why the output has certain features. They need to have a full understanding from a functional level, if not from the physics perspective. Network and especially web testing tools are less mature, have tons of limitations. They require vetting to know what they can do and what they can't. To go back to the doctor analogy, you might be using an x-ray like tool when an fMRI is needed. And maybe the fMRI isn't conclusive and you need to do surgery to take a sample. Understanding the tools at a deep level is necessary for a doctor to make these decisions. Learning to tune tools to get better results and knowing what things they just plain cannot do is essential. Then you can manually work around the limitations of the tool with other techniques. There is no press a button, do my whole job for me security tool out there, no matter what the vendors at RSA told you. There are tools that are great at certain things, but you really need to understand how they work to be able to trust them and audit everything else yourself. Doctors and radiographic technicians also use methodologies that others who do completely understand the tech have developed, so they know that they are doing the proper thing. If you don't understand the tools at a deep level and aren't following a methodology developed by someone who does, I can guarantee you're missing tons of vulns and doing a disservice to your clients. Steve -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Professional Scrpt Kiddies vs Real Talent, (continued)
- Re: Professional Scrpt Kiddies vs Real Talent Vikram Dhillon (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent Omar Herrera (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent 5.K1dd (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent R. DuFresne (Mar 18)
- Re: Professional Scrpt Kiddies vs Real Talent trains (Mar 23)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Eric Milam (Mar 11)
- Message not available
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Stephen Mullins (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Mike (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Steve Pinkham (Mar 15)
- Re: Professional Scrpt Kiddies vs Real Talent Mike (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 09)