Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Professional Scrpt Kiddies vs Real Talent
From: chr1x <chr1x () sectester net>
Date: Tue, 09 Mar 2010 13:13:02 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To see the real difference between kiddies and real talent? Easy.

You could be a very skilled security guy, but if you never discovered a
vulnerability, or made an exploit, you probably continue being part of
the script kiddie place.

Everybody with a little knowledge of Word or Excel is a good candidate
to be a master sensei using tools like CORE Impàct, Canvas or any
automated tool. Everybody can crack Wireless AP's with BT, but just a
real ninja is able to develop his/her own hacker toolkit.

If you are the guy who looks for software to fit your security testing
needs, you are a kiddie.

Cya.

chr1x

On 08/03/2010 11:55 p.m., Omar Herrera wrote:
Hi Adriel,

I agree that you have script kiddies on both ends, but  this is the
nature of humans. You get you car these days to the mechanic and most of
them run some kind of scanner without understanding the inner details,
look at the report, replace the parts and that's it. They do what they
were trained for, nothing more or nothing else, and sometimes, that's
just what it's needed.

We got scientists and experts that claim to know the ultimate truth,
just to get debunked by the next generation of great scientists and
experts in an endless loop.

Now, don't take me wrong, but look at one of your statements:
"

I’m talking about doing actual vulnerability research and exploit
development to help educate people about risks for the purposes of
defense. After all, if a security company can’t write an exploit then
what business do they have launching exploits against your company?

"
I disagree with this :-), a deep technical understanding is not the only
way to security in my opinion. I think we can also learn a lot about
security risks from analysing things like business processes and human
behaviour.

The people you list do deserve to be highly respected in the
informations sector, but so do others that have chosen different paths
from technical nirvana. I do understand your feelings for people that
claim to be something that they are not, but we have created this by
alienating any newbie that comes to these forums (just for lack of
knowledge or asking wrong questions). We tend to have heated discussions
around philosophical issues that don't have a single answer, and let our
egos flourish as soon as  we feel we have grasped enough knowledge to
consider ourselves experts.

I don't blame newcomers for opting to take the easy path after getting a
few beatings for asking  for knowledge and then getting blamed for this
(they probably don't even care). Honestly, they are not the problem, we
are. We try so hard to make this an elite and closed circle that we
forget about our true goals.

Regards,

Omar


Adriel Desautels escribió:
Posted on:
http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html


Comments, insults, etc. on the blog (or here) are more than welcome.

-- 

The Good Guys in the security world are no different from the Bad
Guys; most of them are nothing more than glorified Script Kiddies. The
fact of the matter is that if you took all of the self-proclaimed
hackers in the world and you subjected them to a litmus test, very few
would pass as actual hackers.

This is true for both sides of the proverbial Black and White hat
coin. In the Black Hat world, you have script-kids who download
programs that are written by other people then use those programs to
“hack” into networks. The White Hat’s do the exact same thing; only
they buy the expensive tools instead of downloading them for free. Or
maybe they’re actually paying for the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies
have no idea what the programs actually do. Sometimes that’s because
they don’t bother to look at the code, but most of the time its
because they just can’t understand it. If you think about it that that
is scary. Do you really want to work with a security company that
launches attacks against your network with tools that they do not
fully understand? I sure wouldn’t.

This is part of the reason why I feel that it is so important for any
professional security services provider to maintain an active research
team. I’m not talking about doing market research and pretending that
its security research like so many security companies do. I’m talking
about doing actual vulnerability research and exploit development to
help educate people about risks for the purposes of defense. After
all, if a security company can’t write an exploit then what business
do they have launching exploits against your company?

I am very proud to say that Everything Channel recently released the
2010 CRN Security Researchers list and that Netragard’s Kevin
Finisterre was on the list. Other people that were included in the
list are people that I have the utmost respect for. As far as I am
concerned, these are the top security experts:

    * Dino Dai Zovi
    * Kevin Finisterre
    * Landon Fuller
    * Robert Graham
    * Jeremiah Grossman
    * Larry Highsmith
    * Billy Hoffman
    * Mikko Hypponen
    * Dan Kaminsky
    * Paul Kocher
    * Nate Lawson
    * David Litchfield
    * Charles Miller
    * Jeff Moss
    * Jose Nazario
    * Joanna Rutkowska


In the end I suppose it all boils down to what the customer wants.
Some customers want to know their risks; others just want to put a
check in the box. For those who want to know what their real risks
are, you’ve come to the right place.

  


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------




No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.733 / Virus Database: 271.1.1/2732 - Release Date: 03/09/10 01:33:00

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLlp29AAoJEC7eoa2EW6vf6loH/2+aLG6jj47EVYMQL9Qck/pB
xoc+b/jIh8faoD/AMcaVI4Wpg+rMz0GN2qnGLi1GttMdx01RrUz2twR8NxnMWDXZ
s2Xopf8/yLiPmZQOoKtX5AWTMoik0ogDQZ7QJEOSGPWyckhR/IVJq9xxTvddReN/
BCxLQQtbHnf6pWmh42vhc03y2uWG3K7N28hkIKLERD9JlJDK/Hex9FnEklrJKQ8O
aMYCzP92Jo29XkaOYbtXi4vTjqTj3uA49CKGN/eD01AYqtZ6sbgqIJjaq3yxy8lZ
ZnqoQ3wsY1/Ts0OfdQzSd45ePZZgz3UnTg9V3oa26+UA1pitQiHfsWCHkYOgiMo=
=2F34
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault