Penetration Testing: Re: My Frustrations

[Alex Moen <alexm () ndtel com>]

Adriel,

I am, by no means whatsoever, an experienced, professional, or even focused pentester, but rather an experienced, profesional, focused network 
administrator that is very interested in pen testing for my own knowledge and security of my systems.  I would expect some questions like the ones 
that you are discussing to come from someone like me...  :)
However, I do agree with you that someone calling themselves a security professional or pentester, and charging for their services, should not be 
asking "basic" or low-level questions, especially on a public forum such as this.  I would think that there would be a level of pride or whatever that 
would prevent that to a degree, however, I have always lived by the idea that there is nothing wrong with asking questions, nor are there any stupid 
questions.  At least the professional that is asking questions is trying to improve himself in this regard, and is probably sensitive to his 
limitations... The people that really get to me are the ones who do not ask any questions and are secure that they know everything and that they are 
always right, even when I can prove them wrong.  I sometimes ask some pretty silly questions in respect to my job, although they don't always seem 
silly at the time of the asking and earn a heel-of-the-palm-to-the-forehead from myself in retrospect.
This is not a problem isolated to the security professional world, however.  It is, afaik, in *every* profession.  Our company does web and e-mail 
hosting, PC repair, and network services as well as ISP services, and we have competition in all of those arenas.  Some of the competitors are 
competent professionals, others are fly-by-night half-wits that talk themselves into the graces of the customers.  Those customers eventually get 
burned and come back to us.  It is really up to the customer to determine whom to trust and not to trust, and to do background checks and get 
information and referrals about the companies that they are doing business with, and if they get burned it is no one's fault but their own.  Also, it 
may be a company trying to save a few bucks by hiring the cheapest workforce that they can, rather than the best.  For whatever reason, tho, the poor 
performers never seem to go out of business and keep rearing their ugly heads and leaving messes for the rest of us to clean up...
Anyway, that's my 2 cents on the whole issue.  Hopefully my opinion doesn't earn a bunch of flames.  Just keep doing the best job that you can, and 
remember that the cream always flows to the top.
Alex



Adriel T. Desautels wrote:
> I recently wrote this blog entry and wanted to get some comments from 
> readers of this list. I'm frustrated with the caliber of the people that 
> are offering security services and posing as experts, thats the subject 
> of the post. Please comment, insult, whatever... I'm interested.
> http://snosoft.blogspot.com/
>
>
> Adriel T. Desautels
> ad_lists () netragard com
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------