Penetration Testing mailing list archives
Re: Verify Your Security Provider -- The truth behind manual testing.
From: Mike Messick <mikem () tridigitalenterprises com>
Date: Fri, 17 Jul 2009 18:19:33 -0800 (AKDT)
A couple of thoughts on this: Sometimes employers prohibit employees from using their real names if it can tie them back to where they work, for legal and other reasons (like people associating the employer with the researcher even though the researcher did all work on their own time.) Some employers cannot afford to have this happen because of the public perception that the employer somehow sponsored the work. Imagine if I work for the FBI and in my own time I develop some way to crack wireless networks in very short order. Even though my employer had no participation in this effort, when someone "discovers" where I work and it gets slogged through Wired or /. the entire world then thinks the Feds are out to get them. I have several friends who perform some amazing security research and due to where they work they are not able to use their real names when releasing findings/products to the community. I have yet to find anything underhanded about them, their work, or their employer. Hope this helps, -Mike. On Fri, 17 Jul 2009, Adriel T. Desautels wrote:
You are an individual researcher. And why might I ask do you need to hide behind an alias? If you do research that is both legal and ethical and if you follow the best practices that you can follow, then why wouldn't you want your name associated with your hard work? On Jul 17, 2009, at 8:21 PM, Stack Smasher wrote:I think this discussion is seriously flawed. I am a security researcher who uses several different online aliases when I am interviewed so I can speak without the fear of corporate or legal repercussions. My professional person is never tied to my online presence. I like it better that way. On Fri, Jul 17, 2009 at 7:05 PM, Tim <tim- pentest () sentinelchicken org> wrote:Anyway, I didn't say Only use facebook did I? Use any means possible. Bottom line is though, if the company has researchers,thenthe company will have published advisories. If they've done that,thenyou should be able to get a good idea of their capability by doing research on their research.Yeah, I agree that something novel should be getting generated. Perhaps a better way to go about obtaining it, is simply to ask your vendor what research their consultants have published. For instance most of what I publish isn't tied directly to my company as I do quite a bit of it on my own time.Btw, if you comment on the blog, I might post it. :)Call me old school, but I actually like mailing lists... cheers, tim ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ -- "If you see me laughing, you better have backups"Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Justin Ferguson (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- RE: Verify Your Security Provider -- The truth behind manual testing. Geoff Galitz (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Justin Ferguson (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Aarón Mizrachi (Jul 19)