RE: "Free" pen-test

["Pete" <pen_test_list () petesmithcomputers com>]

<snip>

> > My question is this: how do white-hatters usually approach these 
> > things?

<snip> 

hellNbak answered:

> So let me get this straight.  You engaged in completey 
> unethical behaviour
> -- offered a free pen-test and now you are mad because you 
> were not able to "scare" this guy into buying services from you?

You misunderstand me (perhaps deliberately?). I'm not in the security
industry. I was tipped that a local firm had security issues. I have
contacts who could provide the security that they need, so I went about
bringing the two together. Mr Director agreed to a pen-test on the basis
that our degree of success may or may not lead to a sales meeting. This
wasn't blackmail, just an honest attempt to show a reluctant (and smug)
manager that he was vulnerable. OK, we wasted some time (it seems) -
some people just don't want a mirror held up to them.

Miguel's remarks are more useful. I'm interested in the approach to the
psychology of this thing: what do you do when you know someone is wrong
about his/her security but just refuses to see it? If I'd waited for
this guy to approach me I'd have waited all my life. Likewise, if I'd
tried to sell him a full pen-test backed up with a complete security
report, he'd never have seen the need for it.

Well...any more comments would be interesting.

Pete 


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------