Re: Professional Scrpt Kiddies vs Real Talent

[Steve Pinkham <steve.pinkham () gmail com>]

Mike wrote:
> Good discussion, but I feel both are equally important.  I mean when I
> go to the Dr. for an xray the technician doesn't have a CLUE to how
> the machine works, but he can push a button.  The Dr. doesn't have a
> CLUE to how the machine works either, but he can hopefully interpret
> the picture and give a proper diagnoses.  We all use tools for
> pentesting and all that matters is that we can accurately and
> intelligently interpret the data and we don't need to fully understand
> how the tool works or gathers the data as long as we can make some
> sense of it.  My Physics teacher used to laugh as he was responsible
> for creating the MRI machine and he said Dr.'s don't know a damn thing
> about how it works, but they get paid a LOT of money to read the
> results where I got paid crap for building the tool.
>
> Mike

I'm going to have to strongly disagree with your assertion, or at least
my understanding of it.  A doctor and a technician both need to know a
lot about how the machine works so they know the limitations of the
machine. Techs also know how to adjust the radiation level to get
contrast for different body parts, etc. If you don't know on a
functional level how an X-ray machine works, you can't run one, and you
can't interpret the results. Here's a very quick overview of the things
a radiographer needs to do to take an effective x-ray:
http://www.bls.gov/oco/ocos105.htm

Now, that doesn't mean there's anything to gain in building your own
x-ray machine.  Xray machines are mature technologies, and  it is common
knowledge in the field what they can find and cannot find.  We know how
to tune them to get the desired results.  They aren't black boxes just a
simple on button however.

Doctors and techs also know a lot about MRI machines in similar ways.
Yes, they might not understand all about the physics, but they know what
the machine can detect, what it can't, and why the output has certain
features.  They need to have a full understanding from a functional
level, if not from the physics perspective.

Network and especially web testing tools are less mature, have tons of
limitations.  They require vetting to know what they can do and what
they can't.  To go back to the doctor analogy, you might be using an
x-ray like tool when an fMRI is needed. And maybe the fMRI isn't
conclusive and you need to do surgery to take a sample.  Understanding
the tools at a deep level is necessary for a doctor to make these
decisions.

Learning to tune tools to get better results and knowing what things
they just plain cannot do is essential.  Then you can manually work
around the limitations of the tool with other techniques.  There is no
press a button, do my whole job for me security tool out there, no
matter what the vendors at RSA told you.  There are tools that are great
at certain things, but you really need to understand how they work to be
able to trust them and audit everything else yourself.

Doctors and radiographic technicians also use methodologies that others
who do completely understand the tech have developed, so they know that
they are doing the proper thing.  If you don't understand the tools at a
deep level and aren't following a methodology developed by someone who
does, I can guarantee you're missing tons of vulns and doing a
disservice to your clients.

Steve
--
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------