Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: felons as pentesters

From: "Kevin L. Shaw, CISSP, GCIH, GPEN" <kshaw () eeenterprisesinc com>
Date: Fri, 10 Dec 2010 07:58:36 -0700
As my statement before, I'm with Mark on this one. Those weren't normal people when they bent their morals and 
committed crimes. There are plenty of upstanding individuals out there to hire, and train even. 
-- 
Kevin L. Shaw,  CISSP, GCIH, GPEN
240.593.4261
Sent from my Android

"Mark Brunner" <kohi10 () rogers com> wrote:


J.

Feel free to have an opinion, misguided or otherwise.  BTW, cybercrime?
It's just plain old crime.  All that has changed is the vehicle.  Why
not an
FBI agent.  Temptation is everywhere, and few are immune.  If the
return was
right, the risk appeared low, and the probability of success was
positive,
even a saint can be tempted!  I wouldn't hire a known child molester to
look
after my granddaughter, I won't hire a proven thief to manage my stock
portfolio, and if I have a choice between a convicted felon and someone
with
a clean record, I am going to take a chance on the unknown quantity,
and add
to the mix my best preventive controls and detective measures.

As soon as the people listed below decided to commit crime, hurt
someone,
damage something not their own, they became wolves.
That is my 2¢ and humorous, misguided opinion, be the first on your
block to
collect all ten!

M. Brunner
Information Security Manager & Consultant 
Greater Toronto Area, Ontario Canada

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On
Behalf Of J. Oquendo
Sent: Tuesday, December 07, 2010 9:27 AM
To: Mark Brunner; pen-test
Subject: Re: felons as pentesters

On 12/4/2010 2:25 PM, Mark Brunner wrote:


Using wolves to herd sheep is probably counter-productive.  Unless

those

wolves come with an iron-clad guarantee and a commitment from a

reputable

and solvent company that will compensate for or replace any missing

sheep...

Can your rehabilitated wolf do that?  Probably not.  Best pursue a

position

less "interesting".



This is a humorous and misguided comment, sorry - that's my opinion. I
implore you and anyone else to take a look around at 1/3rd of the
"cybercrimes" committed (I say one third because its easy pickins).
Ready? (http://en.wikipedia.org/wiki/Lies,_damned_lies,_and_statistics)

If we do some quick math, of the 12 cases that immediately sprout up on
Cybercrime.gov, you should be fearing normal individuals more than you
should be fearing a "convicted" felon with regards to "cybercrime." In
fact, not ONE CASE on that site mentions ANYONE as having "former
record"

From http://www.cybercrime.gov/cc.html

OMG, even an FBI agent...
United States Attorney Jane J. Boyle announced that a federal grand
jury
in Dallas returned a ten-count indictment today charging Lancaster,
Texas, resident, Jeffrey D. Fudge, with various felony charges related
to the misuse of his position of trust as a Federal Bureau of
Investigation (FBI) investigative analyst.
http://www.cybercrime.gov/fudgeIndict.htm

Not wolves, trusted insiders...
According to the indictment, Camp and Fowler developed a computer
virus,
which they used to infect UCM computers – including an attempt to
infect
the computer used by the university’s president.

Not a wolf a normal ordinary person...
David C. Kernell, 23, today was sentenced to one year and one day in
prison for intentionally accessing without authorization the e-mail
account of former Alaska governor Sarah Palin and obstruction of
justice,

Not a wolf a normal person...
charged Frost with causing damage to a protected computer system and
possessing 15 or more unauthorized access devices.

Not a wolf... normal person...
On June 29, 2010, Darnell H. Albert-El, 53, of Richmond, pleaded guilty
to one count of intentionally damaging a protected computer without
authorization. Albert-El was sentenced today by Senior U.S. District
Judge Robert E. Payne in the Eastern

Not a wolf, normal employee
Makwana’s laptop and other evidence, revealed that Makwana had
transmitted the malicious code on October 24, 2008 which was intended
to
execute on January 31, 2009. The malicious code was designed to
propagate throughout the Fannie Mae network of computers and destroy
all
data, including financial, securities and mortgage information.

Not a wolf, normal employee/insider
Bruce Raisley, 49, of Kansas City, Mo. – formerly of Monaca, Pa. –
following a six-day trial before United States District Judge Robert B.
Kugler in Camden. Raisley was convicted of the count charged in the
Indictment on which he was tried: launching a malicious computer
program
designed to attack computers and Internet websites, causing damages.

Not a wolf normal person...
DANIEL CHRISTOPHER LEONARD, 32, of Olympia, Washington, pleaded guilty
today in U.S. District Court in Tacoma to one count of cyber-stalking
and four counts of making threatening communications. ... Many of the
victims altered their lives because of the phone calls; quitting jobs,
moving, and altering their activities because of the threatening and
harassing calls. Many cancelled their cell phone numbers, only to start
receiving the calls at home or at work.

Not a wolf, normal employee/insider
Shelnutt was a former CariNet employee. Between October 2008 and
November 9, 2008, Shelnutt repeatedly accessed CariNet’s computer
network without authorization and caused damage.

So back to this theory/notion about felons and cybercrime, of all the
cases listed on that site, do the breakdown of "repeat offenders" as
opposed to making misguided comments "omg they will always be vile,
vicious attackers who can't be trusted!" I guarantee you that you have
more to fear from normal individuals than you do from someone with a
felony. This is NOT TO SAY that there aren't bad apples but the reality
is, bad apples fall everywhere period.

*DISCLAIMER - it should come as no surprise to most who recognize my
name that I was convicted of a "cybercrime" and spent 27 months in club
fed. Guess what, life goes on. I currently work at a company where I've
been for 5 years. I have access to over 150 million (that's million)
customer records and accounts. "Shocking!; the notion that people move
on with life and progress positively." Am I an enigma/anomaly? In my
current position I'm *always* vigilant against *ANYTHING* and
EVERYTHING
that occurs including virus and malware outbreaks. From my perspective,
I'd be the first targeted/looked at it something were to occur, so I do
my damnest to ensure that *NOTHING* occurs. I do my best to make sure
*EVERYTHING IS DOCUMENTED*, and there is full auditing and accounting
across the board. I do this for various reasons 1) should something
occur, (as I stated) I'd be the first to be looked at 2) I'm very well
aware of the attack vectors and vulnerabilities blackhats are looking
for 3) I make sure everything I do is cross-checked/referenced/logged
and audited for my OWN safety/security

People are people period and all of this "not in my backyard" is
hypocrisy at best. What's that saying: "Let he who is without sin cast
the first stone." ... I know of PLENTY of individuals in this industry
who have skated a felony record by turning on their family, friends,
etc., and they are in positions of "great trust" and I often scratch my
head at others' ignorance when it comes to this matter. As a security
professional, my PERSONAL goals are 1) to be the best that I can be 2)
to ensure that the things I do are accounted for, audited 3) ensure
wherever I am employed is provided with the utmost security I can
provide/learn/give/design. That's just me though.

So back to that statement: "Why would I trust a wolf with sheep..." I
say "why would you trust ANYONE/THING with ANYONE/THING without keeping
a close eye. You'd be the idiot to allow checks and balances to be
missed/overlooked. While you're watching/fearing a felon, its often
going to be someone innocuous that's going to be the "troublemaker."

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: