Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Thu, 18 Dec 2008 10:41:42 -0500

Alex,
Nice post, I enjoyed reading that. I agree with you that people should come to the list and as questions, that is after all how we all learned. When someone comes to this list and tells us that he's already started a penetration and needs some direction with a problem, that is perfectly fine. But when the direction that he is requesting is elementary in nature and is something like "how do I run this exploit" or "how can I use XSS" or "Why is SQL Injection risky", that makes me cringe.

The real issue is that in this industry the cream doesn't float to the top without a fight. Thats because there are very few people who are not experts that can tell the difference between who is an expert and who isn't. As a result customers purchase services from people thinking that they are experts, when they aren't. The get that fake kit-car ferrari but pay for the real thing. Or maybe they get the fake ferrari and pay less but think that they are getting the real thing.

Just as an FYI, my motivation for shedding light on this subject is to protect people. When you purchase security services and you're not an expert, you expect to feel secure and safe after everything is said and done. If the people offering the services don't know what they are doing then what they are really selling you is a false sense of security. In my opinion thats almost criminal.


On Dec 18, 2008, at 10:31 AM, Alex Moen wrote:

Adriel,

I am, by no means whatsoever, an experienced, professional, or even focused pentester, but rather an experienced, profesional, focused network administrator that is very interested in pen testing for my own knowledge and security of my systems. I would expect some questions like the ones that you are discussing to come from someone like me... :)

However, I do agree with you that someone calling themselves a security professional or pentester, and charging for their services, should not be asking "basic" or low-level questions, especially on a public forum such as this. I would think that there would be a level of pride or whatever that would prevent that to a degree, however, I have always lived by the idea that there is nothing wrong with asking questions, nor are there any stupid questions. At least the professional that is asking questions is trying to improve himself in this regard, and is probably sensitive to his limitations... The people that really get to me are the ones who do not ask any questions and are secure that they know everything and that they are always right, even when I can prove them wrong. I sometimes ask some pretty silly questions in respect to my job, although they don't always seem silly at the time of the asking and earn a heel-of-the-palm-to-the-forehead from myself in retrospect.

This is not a problem isolated to the security professional world, however. It is, afaik, in *every* profession. Our company does web and e-mail hosting, PC repair, and network services as well as ISP services, and we have competition in all of those arenas. Some of the competitors are competent professionals, others are fly-by-night half-wits that talk themselves into the graces of the customers. Those customers eventually get burned and come back to us. It is really up to the customer to determine whom to trust and not to trust, and to do background checks and get information and referrals about the companies that they are doing business with, and if they get burned it is no one's fault but their own. Also, it may be a company trying to save a few bucks by hiring the cheapest workforce that they can, rather than the best. For whatever reason, tho, the poor performers never seem to go out of business and keep rearing their ugly heads and leaving messes for the rest of us to clean up...

Anyway, that's my 2 cents on the whole issue. Hopefully my opinion doesn't earn a bunch of flames. Just keep doing the best job that you can, and remember that the cream always flows to the top.

Alex



Adriel T. Desautels wrote:
I recently wrote this blog entry and wanted to get some comments from readers of this list. I'm frustrated with the caliber of the people that are offering security services and posing as experts, thats the subject of the post. Please comment, insult, whatever... I'm interested.
http://snosoft.blogspot.com/
Adriel T. Desautels
ad_lists () netragard com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]