RE: My Frustrations

I too understand all your frustrations and gripes, the true question is "What
is considered a TRUE PEN-TESTER? We all have our expertise in a particular
forum and need assistance at times, but to leverage a forum that is truly for
informational and discussion based theories I believe is "SAD" and in itself
highlights your inability to do your job. Not saying everyone should know
everything, but you should take enough pride in becoming an ethical hacker to
know that if you need help, solicit assistance from those who may be smarter
than the average's no way in this Industry, that if I'm
having issues with a particular exploit that I would post that on a Public
forum for someone to socially engineer my potential issues. Only time will
separate the Geeks from the Wanna-be's, and if you are really a geek, you get
a high from the challenge of engineering or hacking an exploit, and you don't
want to share that with no one!!!

Have a Geek Day! :-)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Nick Besant
Sent: Thursday, December 18, 2008 3:58 PM
To: H D Moore
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: My Frustrations

H D Moore wrote:
On Wednesday 17 December 2008, Adriel T. Desautels wrote:

I recently wrote this blog entry and wanted to get some comments from
readers of this list. I'm frustrated with the caliber of the people
that are offering security services and posing as experts, thats the
subject of the post. Please comment, insult, whatever... I'm

I agree with it for the most part - half the questions posed to this list
would immediately disqualify the person as an expert, let alone a
professional. The experienced folks tend to just post announcements or
reply back to the former group. I would love to see this list turn back
into real discussions of pen-testing challenges, but publicly asking for
help on a job as reputation-centric as pen-testing carries a stigma of its
own. The last thing you want a potential client to see is your lead pen-
tester asking for help on a SQL injection vulnerability.

I really don't see a way forward.


I think an important issue is that many of the people posting those
questions to the list are failing to avoid the trap of performing purely
subjective assessments. Pen-testing still retains some aspects of a
black art to many, including clients; as tools and "for dummies" guides
proliferate and such tools become easier to use, it becomes easy for
those with minimal experience to put forth a seemingly convincing sales

This includes established professional services organisations and
consultancies as well as smaller establishments; I have seen reports
from these organisations that are very much the reformatted Nessus
output referred to in earlier responses.

With this in mind I agree that there is no obvious way forward - unless
some useful, international, easy-to-use, low-cost regulatory body were
to suddenly pop into existence, perhaps.


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

Attachment: smime.p7s
Description: S/MIME cryptographic signature