Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Fri, 19 Dec 2008 09:51:23 -0500

Not if you know a thing about exploiting bugs.


On Dec 19, 2008, at 8:47 AM, suess13 wrote:

IMO or In my Opinion, Isn't that like asking what the significance of DLP? It all depends on the context of which the question was asked. DLP could
mean Digital Light Processing or Data leakage prevention.


EIP may refer to:

Economically inactive population
Enterprise information portal, a type of web portal
Eco-industrial park, a type of industrial park
Extended Instruction Pointer, an address register in the IA-32 architecture
Xerox's Extensible Interface Platform, a software platform upon which
developers can create server-based applications that can be configured for a
multifunction printer's touch-screen interface
South Carolina Employee Insurance Program.

Or how about the Significance of CUA.

CUA Catholic University of America
CUA Common User Access
CUA Canadian Urological Association
CUA Cost Utility Analysis
CUA Certified Usability Analyst
CUA Clean Up Australia
CUA Commonly Used Acronym
CUA Center for Ultracold Atoms
CUA Credit Union Atlantic (Nova Scotia, Canada)
CUA Commercial Use Authorization
CUA Compassionate Use Act of 1996 (California)
CUA Centralized User Administration (Nortel)
CUA Certified Urologic Associate (nursing)
CUA Circuit Unit Assembly
CUA Carrier Utilization Agreement
CUA Co-Utilization Agreement
CUA Catholic University of Angola
CUA CU Aerospace (Champaign, Illinois)
CUA Combat Useable Asset
CUA Computer User Access
CUA Connection Update Acknowledge
CUA Cross-, Up-Selling and Accessories Products (SAP Internet Sales
Web-Shop)
CUA Communications Unit Automation
CUA Certified Unix Administrator
CUA Cisco Unity Assistant

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] On
Behalf Of Adriel T. Desautels
Sent: Thursday, December 18, 2008 10:46 AM
To: security curmudgeon
Cc: pen-test list
Subject: Re: My Frustrations

Amen brother! I do particularly agree about the certification comment
that you've made. I frequently run into people who are certified with
all sorts of goodies, but then when I ask them a simple question like
"What is the significance of the EIP?" they respond with "What's an
EIP?".

Can I post your comment on the blog, or maybe you can do it?

On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote:



: I recently wrote this blog entry and wanted to get some comments
from
: readers of this list. I'm frustrated with the caliber of the
people that
: are offering security services and posing as experts, thats the
subject
: of the post. Please comment, insult, whatever... I'm interested.
:
: http://snosoft.blogspot.com/

You are preaching to a (very small) choir here. The kind of choir
where
everyone thinks they are a part of.

First, this problem isn't new [1]. The industry has had its fair
share of
charlatans and frauds over the years. In the last five years, the
number
of posts to this list and others is bordering on absurd, that start
out
with "i've been [hired|told|contracted] to do a pen test of our
[network|application|physical] security, where do i begin?" Many of
the
posts are done from gmail accounts that have no obvious association
with a
name or company, for obvious reasons.

Second, the number of times you see these questions come from
'certificed'
professionals is silly. I frequently get forwards from lists full of
CISSPs that post this kind of question, begging the world to wonder
why
anyone thinks that certification holds water. If not certified, from
people with 'security' and/or 'engineer' in their official title. Some
posts suggest a company decided to tell a junior analyst to do a full
blown pen-test, likely to save a few bucks. Others, the wannabe-
pentester
is definitely over eager and grossly exaggerating their claims of
being
qualified.

Last, it's only going to get worse.

- jericho


[1] http://attrition.org/errata/

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------




Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault