Re: Professional Scrpt Kiddies vs Real Talent

["Adriel T. Desautels" <ad_lists () netragard com>]

Comments embedded below:


On Mar 8, 2010, at 7:55 PM, simonis () myself com wrote:

> You need to be cautious about creating an overly narrow definition of the security field with your focus on 
> penetration testers versus "hackers".

When shouldn't a penetration tester be a hacker?

>  While those on the list you cite may well be the top researchers in the commercial space, there are numerous other 
> places researchers live and may never get noticed due to the nature of their jobs.

Hence why I made the correction to our blog: " As far as I am concerned, these are some of the best guys in the 
industry:"  When I first wrote it I wrote it as if the list was all inclusive, and that's just impossible. My mistake. 



> Also, you ignore the much broader view of the practitioners of every stripe and discount the impact those putting the 
> research into practice can have on the field.

Care to elaborate? I might be having an idiot moment here, but I'm not following what you are trying to communicate. 

>  You also ignore security executives, who shape the industry with their buying patterns and influence on the 
> corp/gov't agenda.  

What does that have to do with what I wrote?

> Also, your premise that you understand the fundamentals may be flawed.  For every case where you can cite expertise 
> requires detail mastery (e.g., the medical field) I can cite a counter point where you can excel with much more 
> shallow insight into the fundamentals (e.g., does a race car driver need to understand internal combustion?).

Actually, as someone that raced cars for a while, understanding the inner workings of the engine is very important. You 
learn how it sounds, you understand what is happening, all of that lends to you being able to push harder and faster. 

>  A large part of the art a penetration tester uses is knowing which tool is applicable to the task at hand, 
> regardless of if they know at the byte level what that tool does.  They can still provide value without having a 
> detail understanding of assembly.  

Sure they can still provide value, but they can not provide the same depth as someone that understands the byte code. 
When you are trying to defend against a threat that might very well understand that low-level detail, don't you want to 
be tested by someone that does too?  

Would you want to ride in a tank in Iraq if the armor was only ever tested with a BB Gun?  I sure wouldn't.  Test using 
a reproduction of the real threat so that you can build real defenses.  

> Using myself as an example, I have an advanced degree in CompSci and do understand the fundamentals of what an 
> exploit is doing, but I'm absolutely useless as a penetration tester.  I find it boring, preferring the soft side of 
> security (making people take the issue seriously) much more and find it to be immeasurably more challenging.  I'm not 
> alone there.  

Nope, you're certainly not.  In fact, we have quite a few friends that fall into the R&D category but they are not 
penetration testers.  Doing any interesting research right now?  

> -ds
>
> -----Original Message-----
> From: Adriel Desautels <ad_lists () netragard com>
> To: pen-test () securityfocus com
> Sent: Thu, Mar 4, 2010 8:08 pm
> Subject: Professional Scrpt Kiddies vs Real Talent
>
> Posted on: http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html
>
>
>
> Comments, insults, etc. on the blog (or here) are more than welcome.
>
>
>
>
> --
>
>
>
>
> The Good Guys in the security world are no different from the Bad Guys; most of 
>
>
> them are nothing more than glorified Script Kiddies. The fact of the matter is 
>
>
> that if you took all of the self-proclaimed hackers in the world and you 
>
>
> subjected them to a litmus test, very few would pass as actual hackers.
>
>
>
>
> This is true for both sides of the proverbial Black and White hat coin. In the 
>
>
> Black Hat world, you have script-kids who download programs that are written by 
>
>
> other people then use those programs to “hack” into networks. The White Hat’s do 
>
>
> the exact same thing; only they buy the expensive tools instead of downloading 
>
>
> them for free. Or maybe they’re actually paying for the pretty GUI, who knows?
>
>
>
>
> What is pitiable is that in just about all cases these script kiddies have no 
>
>
> idea what the programs actually do. Sometimes that’s because they don’t bother 
>
>
> to look at the code, but most of the time its because they just can’t understand 
>
>
> it. If you think about it that that is scary. Do you really want to work with a 
>
>
> security company that launches attacks against your network with tools that they 
>
>
> do not fully understand? I sure wouldn’t.
>
>
>
>
> This is part of the reason why I feel that it is so important for any 
>
>
> professional security services provider to maintain an active research team. I’m 
>
>
> not talking about doing market research and pretending that its security 
>
>
> research like so many security companies do. I’m talking about doing actual 
>
>
> vulnerability research and exploit development to help educate people about 
>
>
> risks for the purposes of defense. After all, if a security company can’t write 
>
>
> an exploit then what business do they have launching exploits against your 
>
>
> company?
>
>
>
>
> I am very proud to say that Everything Channel recently released the 2010 CRN 
>
>
> Security Researchers list and that Netragard’s Kevin Finisterre was on the list. 
>
>
> Other people that were included in the list are people that I have the utmost 
>
>
> respect for. As far as I am concerned, these are the top security experts:
>
>
>
>
>     * Dino Dai Zovi
>
>
>     * Kevin Finisterre
>
>
>     * Landon Fuller
>
>
>     * Robert Graham
>
>
>     * Jeremiah Grossman
>
>
>     * Larry Highsmith
>
>
>     * Billy Hoffman
>
>
>     * Mikko Hypponen
>
>
>     * Dan Kaminsky
>
>
>     * Paul Kocher
>
>
>     * Nate Lawson
>
>
>     * David Litchfield
>
>
>     * Charles Miller
>
>
>     * Jeff Moss
>
>
>     * Jose Nazario
>
>
>     * Joanna Rutkowska
>
>
>
>
>
>
> In the end I suppose it all boils down to what the customer wants. Some 
>
>
> customers want to know their risks; others just want to put a check in the box. 
>
>
> For those who want to know what their real risks are, you’ve come to the right 
>
>
> place.
>
>
>
>
> ------------------------------------------------------------------------
>
>
> This list is sponsored by: Information Assurance Certification Review Board
>
>
>
>
> Prove to peers and potential employers without a doubt that you can actually do 
>
>
> a proper penetration test. IACRB CPT and CEPT certs require a full practical 
>
>
> examination in order to become certified. 
>
>
>
>
> http://www.iacertification.org
>
> ------------------------------------------------------------------------



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------