RE: Professional Scrpt Kiddies vs Real Talent

["Porttikivi, Anssi" <anssi.porttikivi () kpmg fi>]

My two cents: any industry that is changing and evolving rapidly will
have more demand than offer for new skills. The professional master who
understands _everything_ certainly will be too expensive to deploy for
most customers, and there will be demand for less talented and less
experienced, cheaper people. In a dynamic industry there will also
necessarily be (many kinds of) risk appetite in customers, so they are
willing to hire services w/o guarantees of the quality. So there will be
successful mediocre services with high price. 

But it does not come to "easy to use tools are bad, hard to use tools
are good". And the elitist attitude is often sheer stupidity. Like the
guy who complained to me that I was using OWASP WebGoat and a proxy to
teach Web hacking, mocking that as "an automated tool for fools" (the
guy obviously did not even know what WebGoat is).

And I am tired of technical vs. non-technical security contradiction. My
motto, that you are free to quote:

"Security is just like any other modern warfare. You need top notch guns
and technology, but guns without proper strategic insights and
leadership are waste of money, or worse, dangerous."

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ron.Southworth
Sent: 8. maaliskuuta 2010 23:17
To: pen-test () securityfocus com
Subject: RE: Professional Scrpt Kiddies vs Real Talent

Adriel you are always if nothing else good at stirring a comment. 

Visualisation tools are actually a good thing for humans so using GUI
does not make you a neophyte. Not all GUI users are "evil nare do wells"
so measuring a skill level based on someone's ability or currency to
write code is a flawed assumption. It is actually pretty clever to not
reinvent the wheel all the time. Visualising complex and fast moving
abstracts is actually very clever so shame you miss this sort of
benefit. 

Ron


 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adriel Desautels
Sent: Friday, 5 March 2010 12:09 PM
To: pen-test () securityfocus com
Subject: Professional Scrpt Kiddies vs Real Talent

Posted on:
http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.h
tml

Comments, insults, etc. on the blog (or here) are more than welcome.

--

The Good Guys in the security world are no different from the Bad Guys;
most of them are nothing more than glorified Script Kiddies. The fact of
the matter is that if you took all of the self-proclaimed hackers in the
world and you subjected them to a litmus test, very few would pass as
actual hackers.

This is true for both sides of the proverbial Black and White hat coin.
In the Black Hat world, you have script-kids who download programs that
are written by other people then use those programs to "hack" into
networks. The White Hat's do the exact same thing; only they buy the
expensive tools instead of downloading them for free. Or maybe they're
actually paying for the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies
have no idea what the programs actually do. Sometimes that's because
they don't bother to look at the code, but most of the time its because
they just can't understand it. If you think about it that that is scary.
Do you really want to work with a security company that launches attacks
against your network with tools that they do not fully understand? I
sure wouldn't.

This is part of the reason why I feel that it is so important for any
professional security services provider to maintain an active research
team.
I'm not talking about doing market research and pretending that its
security research like so many security companies do. I'm talking about
doing actual vulnerability research and exploit development to help
educate people about risks for the purposes of defense. After all, if a
security company can't write an exploit then what business do they have
launching exploits against your company?

I am very proud to say that Everything Channel recently released the
2010 CRN Security Researchers list and that Netragard's Kevin Finisterre
was on the list. Other people that were included in the list are people
that I have the utmost respect for. As far as I am concerned, these are
the top security
experts:

    * Dino Dai Zovi
    * Kevin Finisterre
    * Landon Fuller
    * Robert Graham
    * Jeremiah Grossman
    * Larry Highsmith
    * Billy Hoffman
    * Mikko Hypponen
    * Dan Kaminsky
    * Paul Kocher
    * Nate Lawson
    * David Litchfield
    * Charles Miller
    * Jeff Moss
    * Jose Nazario
    * Joanna Rutkowska


In the end I suppose it all boils down to what the customer wants. Some
customers want to know their risks; others just want to put a check in
the box. For those who want to know what their real risks are, you've
come to the right place.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

The information in this e-mail (and any attachments) is intended exclusively for the addressee(s). Any use by a party 
other than the addressee(s) is prohibited. The information may be confidential in nature and fall under a duty of 
non-disclosure. If you are not the addressee, please notify the sender and delete this e-mail. KPMG cannot guarantee 
that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, 
destroyed, arrive late or incomplete, or contain viruses. Any opinions or advice contained in this e-mail are subject 
to the terms and conditions expressed in the governing KPMG client engagement letter. Please consider the environment 
before printing this email.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------