Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Thu, 18 Dec 2008 10:45:36 -0500
Amen brother! I do particularly agree about the certification comment that you've made. I frequently run into people who are certified with all sorts of goodies, but then when I ask them a simple question like "What is the significance of the EIP?" they respond with "What's an EIP?". 

Can I post your comment on the blog, or maybe you can do it?

On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote:
: I recently wrote this blog entry and wanted to get some comments from : readers of this list. I'm frustrated with the caliber of the people that : are offering security services and posing as experts, thats the subject 
: of the post. Please comment, insult, whatever... I'm interested.
:
: http://snosoft.blogspot.com/
You are preaching to a (very small) choir here. The kind of choir where 
everyone thinks they are a part of.
First, this problem isn't new [1]. The industry has had its fair share of charlatans and frauds over the years. In the last five years, the number of posts to this list and others is bordering on absurd, that start out 
with "i've been [hired|told|contracted] to do a pen test of our
[network|application|physical] security, where do i begin?" Many of the posts are done from gmail accounts that have no obvious association with a 
name or company, for obvious reasons.
Second, the number of times you see these questions come from 'certificed' 
professionals is silly. I frequently get forwards from lists full of
CISSPs that post this kind of question, begging the world to wonder why 
anyone thinks that certification holds water. If not certified, from
people with 'security' and/or 'engineer' in their official title. Some
posts suggest a company decided to tell a junior analyst to do a full
blown pen-test, likely to save a few bucks. Others, the wannabe- pentester is definitely over eager and grossly exaggerating their claims of being 
qualified.

Last, it's only going to get worse.

- jericho


[1] http://attrition.org/errata/


Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]