Re: Verify Your Security Provider -- The truth behind manual testing.

["Adriel T. Desautels" <ad_lists () netragard com>]

That makes good sense Mike, point well taken.  But for a security  
company that offers penetration testing and
claims to have their services driven by manual testing, wouldn't it  
benefit them to release research in the form
of advisories, and dare I say in some cases, exploits? It could very  
well be different for individuals, can't argue
with your point there.




On Jul 17, 2009, at 10:19 PM, Mike Messick wrote:

> A couple of thoughts on this:
>
> Sometimes employers prohibit employees from using their real names  
> if it
> can tie them back to where they work, for legal and other reasons  
> (like
> people associating the employer with the researcher even though the
> researcher did all work on their own time.)  Some employers cannot  
> afford
> to have this happen because of the public perception that the employer
> somehow sponsored the work.
>
> Imagine if I work for the FBI and in my own time I develop some way to
> crack wireless networks in very short order.  Even though my  
> employer had
> no participation in this effort, when someone "discovers" where I work
> and it gets slogged through Wired or /. the entire world then thinks  
> the
> Feds are out to get them.
>
> I have several friends who perform some amazing security research  
> and due
> to where they work they are not able to use their real names when
> releasing findings/products to the community.  I have yet to find
> anything underhanded about them, their work, or their employer.
>
> Hope this helps,
> -Mike.
>
> On Fri, 17 Jul 2009, Adriel T. Desautels wrote:
>
> > You are an individual researcher.  And why might I ask do you need to
> > hide behind an alias?  If you
> > do research that is both legal and ethical and if you follow the best
> > practices that you can follow, then
> > why wouldn't you want your name associated with your hard work?
> >
> >
> > On Jul 17, 2009, at 8:21 PM, Stack Smasher wrote:
> >
> > > I think this discussion is seriously flawed. I am a security
> > > researcher who uses several different online aliases when I am
> > > interviewed so I can speak without the fear of corporate or legal
> > > repercussions. My professional person is never tied to my online
> > > presence.
> > >
> > >
> > > I like it better that way.
> > >
> > >
> > >
> > >
> > >
> > > On Fri, Jul 17, 2009 at 7:05 PM, Tim <tim-
> > > pentest () sentinelchicken org> wrote:
> > > >      Anyway, I didn't say Only use facebook did I? Use any means
> > > > possible.  Bottom line is though, if the company has researchers,
> > > then
> > > > the company will have published advisories.  If they've done that,
> > > then
> > > > you should be able to get a good idea of their capability by doing
> > > > research on their research.
> > >
> > > Yeah, I agree that something novel should be getting generated.
> > > Perhaps a better way to go about obtaining it, is simply to ask your
> > > vendor what research their consultants have published.  For instance
> > > most of what I publish isn't tied directly to my company as I do  
> > > quite
> > > a bit of it on my own time.
> > >
> > >
> > > >      Btw, if you comment on the blog, I might post it. :)
> > >
> > > Call me old school, but I actually like mailing lists...
> > >
> > > cheers,
> > > tim
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification
> > > Review Board
> > >
> > > Prove to peers and potential employers without a doubt that you can
> > > actually do a proper penetration test. IACRB CPT and CEPT certs
> > > require a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> > > --
> > > "If you see me laughing, you better have backups"
> >
> >
> >
> >         Adriel T. Desautels
> >         ad_lists () netragard com
> >         --------------------------------------
> >
> >         Subscribe to our blog
> >         http://snosoft.blogspot.com
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification  
> > Review Board
> >
> > Prove to peers and potential employers without a doubt that you can  
> > actually do a proper penetration test. IACRB CPT and CEPT certs  
> > require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------