Re: Verify Your Security Provider -- The truth behind manual testing.

["Adriel T. Desautels" <ad_lists () netragard com>]

You don't think I understand?

Full Disclosure is a method by which vendors can be forced into fixing  
problems in their technology.  If they refuse to address the issue, or  
refuse to respond, take the issue public and they will respond.   
Keeping it private keeps customers at risk and does nothing to help  
people protect themselves.  Take this as an example.  We went forward  
here, the vendor didn't want to resolve the problem.

http://snosoft.blogspot.com/2009/02/cambium-group-llc-camas-advisory.html

How does one get blacklisted in the security industry? Kevin Mitnick  
isn't even black listed.

A fine like between hacker and security analyst? IMHO they are one in  
the same, sometimes.

Who is to say that a hacker can't be business savvy?  Take a look at  
the old l0pht crew, they are pretty sharp on all ends.

You were one what before the other what?


On Jul 17, 2009, at 9:01 PM, Stack Smasher wrote:

> You do not seem to understand. When you find a vulnerability or a  
> vendor/corporation who refuses to fix major security issues and you  
> go public with the information you burn yourself in the corporate  
> world.
>
> I know there are some people in the security industry who are  
> blacklisted and cannot work for corporate America because of the  
> views they project. This has a trickle down effect.
>
> Also there is a fine line between "Hacker" and "Security Analyst"
>
>
> I want someone who thinks like a Hacker but who has the business  
> savvy of a security analyst.
>
>
> Lets just say I was one before the other : )
>
>
>
>
>
>
> On Fri, Jul 17, 2009 at 8:50 PM, Adriel T. Desautels <ad_lists () netragard com 
> > wrote:
> You are an individual researcher.  And why might I ask do you need  
> to hide behind an alias?  If you
> do research that is both legal and ethical and if you follow the  
> best practices that you can follow, then
> why wouldn't you want your name associated with your hard work?
>
>
> On Jul 17, 2009, at 8:21 PM, Stack Smasher wrote:
>
>
> I think this discussion is seriously flawed. I am a security  
> researcher who uses several different online aliases when I am  
> interviewed so I can speak without the fear of corporate or legal  
> repercussions. My professional person is never tied to my online  
> presence.
>
>
> I like it better that way.
>
>
>
>
>
> On Fri, Jul 17, 2009 at 7:05 PM, Tim <tim- 
> pentest () sentinelchicken org> wrote:
> >       Anyway, I didn't say Only use facebook did I? Use any means
> > possible.  Bottom line is though, if the company has researchers,  
> then
> > the company will have published advisories.  If they've done that,  
> then
> > you should be able to get a good idea of their capability by doing
> > research on their research.
>
> Yeah, I agree that something novel should be getting generated.
> Perhaps a better way to go about obtaining it, is simply to ask your
> vendor what research their consultants have published.  For instance
> most of what I publish isn't tied directly to my company as I do quite
> a bit of it on my own time.
>
>
> >       Btw, if you comment on the blog, I might post it. :)
>
> Call me old school, but I actually like mailing lists...
>
> cheers,
> tim
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification  
> Review Board
>
> Prove to peers and potential employers without a doubt that you can  
> actually do a proper penetration test. IACRB CPT and CEPT certs  
> require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
>
>
> --
> "If you see me laughing, you better have backups"
>
>
>
>
>
>        Adriel T. Desautels
>        ad_lists () netragard com
>        --------------------------------------
>
>        Subscribe to our blog
>        http://snosoft.blogspot.com
>
>
>
>
> --
> "If you see me laughing, you better have backups"



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------