RE: "Free" pen-test

• Previous message: miguel.dilaj_at_pharma.novartis.com: "Re: "Free" pen-test"
• Maybe in reply to: Pete: ""Free" pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <pen-test@securityfocus.com>
Date: Fri, 20 Jun 2003 09:31:29 +0100

<snip>

> > My question is this: how do white-hatters usually approach these
> > things?

<snip>

hellNbak answered:

> So let me get this straight. You engaged in completey
> unethical behaviour
> -- offered a free pen-test and now you are mad because you
> were not able to "scare" this guy into buying services from you?

You misunderstand me (perhaps deliberately?). I'm not in the security
industry. I was tipped that a local firm had security issues. I have
contacts who could provide the security that they need, so I went about
bringing the two together. Mr Director agreed to a pen-test on the basis
that our degree of success may or may not lead to a sales meeting. This
wasn't blackmail, just an honest attempt to show a reluctant (and smug)
manager that he was vulnerable. OK, we wasted some time (it seems) -
some people just don't want a mirror held up to them.

Miguel's remarks are more useful. I'm interested in the approach to the
psychology of this thing: what do you do when you know someone is wrong
about his/her security but just refuses to see it? If I'd waited for
this guy to approach me I'd have waited all my life. Likewise, if I'd
tried to sell him a full pen-test backed up with a complete security
report, he'd never have seen the need for it.

Well...any more comments would be interesting.

Pete

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------

• Previous message: miguel.dilaj_at_pharma.novartis.com: "Re: "Free" pen-test"
• Maybe in reply to: Pete: ""Free" pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: You dont know what you dont know... ... Said he was collecting stones for his garden! ... this sort of thing means you're going to have to look at security quite ... Certainly get rid of potential hiding places and introduce more external ... (uk.rec.scouting) Re: New Patch Fixes 43 Flaws In OS X, Many Serious ... Unix is incorrect then. ... I think I am being consistent: Unix is a brand, ... it would have no security implications. ... (comp.sys.mac.advocacy) Re: a few questions re firewalls ... <snip Microsoft's badness> ... I'd rather have about one security hole ... script kiddies, and therefore less likely to be exploited via the latest ... I would imagine that some sort of neural network or similar AI ... (comp.security.misc) Re: Cannot find/open fonts -- executing oolatex ... <snip 2 latex runs> ... content.xml (188 bytes security) ... System call: mkdir sxw-test-tex4ht.dir\Pictures ... (comp.text.tex) Re: zfc and Orpheus... Chip & pin ... you keep seemingly refuse to accept that the card ... >> companies/banks are looking at online card security and trailing ... >> various forms of online card reader type technology. ... (comp.sys.acorn.misc)