Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Professional Scrpt Kiddies vs Real Talent
From: "Ron.Southworth" <Ron.Southworth () scadaperspective com>
Date: Tue, 9 Mar 2010 07:17:22 +1000

Adriel you are always if nothing else good at stirring a comment. 

Visualisation tools are actually a good thing for humans so using GUI does
not make you a neophyte. Not all GUI users are "evil nare do wells" so
measuring a skill level based on someone's ability or currency to write code
is a flawed assumption. It is actually pretty clever to not reinvent the
wheel all the time. Visualising complex and fast moving abstracts is
actually very clever so shame you miss this sort of benefit. 

Ron


 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Adriel Desautels
Sent: Friday, 5 March 2010 12:09 PM
To: pen-test () securityfocus com
Subject: Professional Scrpt Kiddies vs Real Talent

Posted on:
http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html

Comments, insults, etc. on the blog (or here) are more than welcome.

--

The Good Guys in the security world are no different from the Bad Guys; most
of them are nothing more than glorified Script Kiddies. The fact of the
matter is that if you took all of the self-proclaimed hackers in the world
and you subjected them to a litmus test, very few would pass as actual
hackers.

This is true for both sides of the proverbial Black and White hat coin. In
the Black Hat world, you have script-kids who download programs that are
written by other people then use those programs to "hack" into networks. The
White Hat's do the exact same thing; only they buy the expensive tools
instead of downloading them for free. Or maybe they're actually paying for
the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies have
no idea what the programs actually do. Sometimes that's because they don't
bother to look at the code, but most of the time its because they just can't
understand it. If you think about it that that is scary. Do you really want
to work with a security company that launches attacks against your network
with tools that they do not fully understand? I sure wouldn't.

This is part of the reason why I feel that it is so important for any
professional security services provider to maintain an active research team.
I'm not talking about doing market research and pretending that its security
research like so many security companies do. I'm talking about doing actual
vulnerability research and exploit development to help educate people about
risks for the purposes of defense. After all, if a security company can't
write an exploit then what business do they have launching exploits against
your company?

I am very proud to say that Everything Channel recently released the 2010
CRN Security Researchers list and that Netragard's Kevin Finisterre was on
the list. Other people that were included in the list are people that I have
the utmost respect for. As far as I am concerned, these are the top security
experts:

    * Dino Dai Zovi
    * Kevin Finisterre
    * Landon Fuller
    * Robert Graham
    * Jeremiah Grossman
    * Larry Highsmith
    * Billy Hoffman
    * Mikko Hypponen
    * Dan Kaminsky
    * Paul Kocher
    * Nate Lawson
    * David Litchfield
    * Charles Miller
    * Jeff Moss
    * Jose Nazario
    * Joanna Rutkowska


In the end I suppose it all boils down to what the customer wants. Some
customers want to know their risks; others just want to put a check in the
box. For those who want to know what their real risks are, you've come to
the right place.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]