Re: Professional Scrpt Kiddies vs Real Talent

["Adriel T. Desautels" <ad_lists () netragard com>]

Hi Craig, long time no talk.  My comments are embedded below:

On Mar 9, 2010, at 2:27 AM, Craig S. Wright wrote:

> The entire notion that security is about pen testing is flawed.

Who said that it was all about pen-testing?  

> Pen testing can say your system sucks, it can find holes. Really so what.
> This does little to actually improve architecture, policy, user behaviour
> etc. There are always holes, security is an economic risk function. 

Absolutely man!

> There are limits to what can be spent on security and too much on Pen
> testing leaves less for mitigation. I see less spent on code testing than on
> getting the site pen tested, whereas I see more vulnerabilities discovered
> with a good secure coder.

Ok.

> Pen testing is but one small aspect of security.

I think this is the first time that we've agreed with each other on list?  What's
going on here?

> Regards,
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Wim Remes
> Sent: Tuesday, 9 March 2010 11:35 AM
> To: Adriel Desautels
> Cc: pen-test () securityfocus com
> Subject: Re: Professional Scrpt Kiddies vs Real Talent
>
> while I understand what triggered this post and/or e-mail, it is barely
> scratching the surface.  Infosec is so much more than finding
> vulnerabilities in products that you can hardly
> limit a list of "security experts" to people doing vulnerability research.
> It just ain't right.  For me there's two kind of people in infosec : People
> that are actually contributing to a
> very open and interactive community (no, not by stepping in the limelight at
> cons and trying to make a name for themselves, this happens on different
> levels and at varying scales) 
> and then there's the parasites who try to surf along on every wave but not
> giving back for what they've taken but rehashing ideas of others and not
> giving proper credit.  The latter
> kind don't tend to hang around for very long though ...
>
> H.D. Moore comes to mind.  He's probably one of the smartest infosec people
> around.  Do you blame him for creating Metasploit and enabling scriptkiddies
> to hack or do you credit him
> for creating Metasploit which allows companies and overworked admins to
> actually perform some kind of pentesting and learn about security in the
> software they use ? I'll choose the latter.
> Sure, 9 out of 10 won't use it as it was intended (a exploit development
> framework) but if 1 out of 10 does, that's enough of a result to continue.
>
> I disagree with your position that any serious security services provider
> HAS TO DO security research (vulnerability research and exploit
> development). Fact is, it rarely educates people about risk.  At best
> it makes them take a second look at their patch management process. 
>
> In the end, everybody actively working to share information and knowledge on
> a daily basis to advance the infosec profession is a rockstar in my book.
> And yes, that includes people talking about DNSSEC on stage
> while under the influence of copious amounts of bourbon.
>
> Cheers,
>
> W
>
> On 05 Mar 2010, at 03:08, Adriel Desautels wrote:
>
> > Posted on:
> http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html
> > Comments, insults, etc. on the blog (or here) are more than welcome.
> >
> > --
> >
> > The Good Guys in the security world are no different from the Bad Guys;
> most of them are nothing more than glorified Script Kiddies. The fact of the
> matter is that if you took all of the self-proclaimed hackers in the world
> and you subjected them to a litmus test, very few would pass as actual
> hackers.
> > This is true for both sides of the proverbial Black and White hat coin. In
> the Black Hat world, you have script-kids who download programs that are
> written by other people then use those programs to "hack" into networks. The
> White Hat's do the exact same thing; only they buy the expensive tools
> instead of downloading them for free. Or maybe they're actually paying for
> the pretty GUI, who knows?
> > What is pitiable is that in just about all cases these script kiddies have
> no idea what the programs actually do. Sometimes that's because they don't
> bother to look at the code, but most of the time its because they just can't
> understand it. If you think about it that that is scary. Do you really want
> to work with a security company that launches attacks against your network
> with tools that they do not fully understand? I sure wouldn't.
> > This is part of the reason why I feel that it is so important for any
> professional security services provider to maintain an active research team.
> I'm not talking about doing market research and pretending that its security
> research like so many security companies do. I'm talking about doing actual
> vulnerability research and exploit development to help educate people about
> risks for the purposes of defense. After all, if a security company can't
> write an exploit then what business do they have launching exploits against
> your company?
> > I am very proud to say that Everything Channel recently released the 2010
> CRN Security Researchers list and that Netragard's Kevin Finisterre was on
> the list. Other people that were included in the list are people that I have
> the utmost respect for. As far as I am concerned, these are the top security
> experts:
> >   * Dino Dai Zovi
> >   * Kevin Finisterre
> >   * Landon Fuller
> >   * Robert Graham
> >   * Jeremiah Grossman
> >   * Larry Highsmith
> >   * Billy Hoffman
> >   * Mikko Hypponen
> >   * Dan Kaminsky
> >   * Paul Kocher
> >   * Nate Lawson
> >   * David Litchfield
> >   * Charles Miller
> >   * Jeff Moss
> >   * Jose Nazario
> >   * Joanna Rutkowska
> >
> >
> > In the end I suppose it all boils down to what the customer wants. Some
> customers want to know their risks; others just want to put a check in the
> box. For those who want to know what their real risks are, you've come to
> the right place.
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review
> Board
> > Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------