Re: Professional Scrpt Kiddies vs Real Talent

[chr1x <chr1x () sectester net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To see the real difference between kiddies and real talent? Easy.

You could be a very skilled security guy, but if you never discovered a
vulnerability, or made an exploit, you probably continue being part of
the script kiddie place.

Everybody with a little knowledge of Word or Excel is a good candidate
to be a master sensei using tools like CORE Impàct, Canvas or any
automated tool. Everybody can crack Wireless AP's with BT, but just a
real ninja is able to develop his/her own hacker toolkit.

If you are the guy who looks for software to fit your security testing
needs, you are a kiddie.

Cya.

chr1x

On 08/03/2010 11:55 p.m., Omar Herrera wrote:
> Hi Adriel,
>
> I agree that you have script kiddies on both ends, but  this is the
> nature of humans. You get you car these days to the mechanic and most of
> them run some kind of scanner without understanding the inner details,
> look at the report, replace the parts and that's it. They do what they
> were trained for, nothing more or nothing else, and sometimes, that's
> just what it's needed.
>
> We got scientists and experts that claim to know the ultimate truth,
> just to get debunked by the next generation of great scientists and
> experts in an endless loop.
>
> Now, don't take me wrong, but look at one of your statements:
> "
>
> I’m talking about doing actual vulnerability research and exploit
> development to help educate people about risks for the purposes of
> defense. After all, if a security company can’t write an exploit then
> what business do they have launching exploits against your company?
>
> "
> I disagree with this :-), a deep technical understanding is not the only
> way to security in my opinion. I think we can also learn a lot about
> security risks from analysing things like business processes and human
> behaviour.
>
> The people you list do deserve to be highly respected in the
> informations sector, but so do others that have chosen different paths
> from technical nirvana. I do understand your feelings for people that
> claim to be something that they are not, but we have created this by
> alienating any newbie that comes to these forums (just for lack of
> knowledge or asking wrong questions). We tend to have heated discussions
> around philosophical issues that don't have a single answer, and let our
> egos flourish as soon as  we feel we have grasped enough knowledge to
> consider ourselves experts.
>
> I don't blame newcomers for opting to take the easy path after getting a
> few beatings for asking  for knowledge and then getting blamed for this
> (they probably don't even care). Honestly, they are not the problem, we
> are. We try so hard to make this an elite and closed circle that we
> forget about our true goals.
>
> Regards,
>
> Omar
>
>
> Adriel Desautels escribió:
> > Posted on:
> > http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html
> >
> >
> > Comments, insults, etc. on the blog (or here) are more than welcome.
> >
> > -- 
> >
> > The Good Guys in the security world are no different from the Bad
> > Guys; most of them are nothing more than glorified Script Kiddies. The
> > fact of the matter is that if you took all of the self-proclaimed
> > hackers in the world and you subjected them to a litmus test, very few
> > would pass as actual hackers.
> >
> > This is true for both sides of the proverbial Black and White hat
> > coin. In the Black Hat world, you have script-kids who download
> > programs that are written by other people then use those programs to
> > “hack” into networks. The White Hat’s do the exact same thing; only
> > they buy the expensive tools instead of downloading them for free. Or
> > maybe they’re actually paying for the pretty GUI, who knows?
> >
> > What is pitiable is that in just about all cases these script kiddies
> > have no idea what the programs actually do. Sometimes that’s because
> > they don’t bother to look at the code, but most of the time its
> > because they just can’t understand it. If you think about it that that
> > is scary. Do you really want to work with a security company that
> > launches attacks against your network with tools that they do not
> > fully understand? I sure wouldn’t.
> >
> > This is part of the reason why I feel that it is so important for any
> > professional security services provider to maintain an active research
> > team. I’m not talking about doing market research and pretending that
> > its security research like so many security companies do. I’m talking
> > about doing actual vulnerability research and exploit development to
> > help educate people about risks for the purposes of defense. After
> > all, if a security company can’t write an exploit then what business
> > do they have launching exploits against your company?
> >
> > I am very proud to say that Everything Channel recently released the
> > 2010 CRN Security Researchers list and that Netragard’s Kevin
> > Finisterre was on the list. Other people that were included in the
> > list are people that I have the utmost respect for. As far as I am
> > concerned, these are the top security experts:
> >
> >     * Dino Dai Zovi
> >     * Kevin Finisterre
> >     * Landon Fuller
> >     * Robert Graham
> >     * Jeremiah Grossman
> >     * Larry Highsmith
> >     * Billy Hoffman
> >     * Mikko Hypponen
> >     * Dan Kaminsky
> >     * Paul Kocher
> >     * Nate Lawson
> >     * David Litchfield
> >     * Charles Miller
> >     * Jeff Moss
> >     * Jose Nazario
> >     * Joanna Rutkowska
> >
> >
> > In the end I suppose it all boils down to what the customer wants.
> > Some customers want to know their risks; others just want to put a
> > check in the box. For those who want to know what their real risks
> > are, you’ve come to the right place.
> >
> >   
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 9.0.733 / Virus Database: 271.1.1/2732 - Release Date: 03/09/10 01:33:00
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLlp29AAoJEC7eoa2EW6vf6loH/2+aLG6jj47EVYMQL9Qck/pB
xoc+b/jIh8faoD/AMcaVI4Wpg+rMz0GN2qnGLi1GttMdx01RrUz2twR8NxnMWDXZ
s2Xopf8/yLiPmZQOoKtX5AWTMoik0ogDQZ7QJEOSGPWyckhR/IVJq9xxTvddReN/
BCxLQQtbHnf6pWmh42vhc03y2uWG3K7N28hkIKLERD9JlJDK/Hex9FnEklrJKQ8O
aMYCzP92Jo29XkaOYbtXi4vTjqTj3uA49CKGN/eD01AYqtZ6sbgqIJjaq3yxy8lZ
ZnqoQ3wsY1/Ts0OfdQzSd45ePZZgz3UnTg9V3oa26+UA1pitQiHfsWCHkYOgiMo=
=2F34
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------