Re: Professional Scrpt Kiddies vs Real Talent



Good discussion, but I feel both are equally important. I mean when I
go to the Dr. for an xray the technician doesn't have a CLUE to how
the machine works, but he can push a button. The Dr. doesn't have a
CLUE to how the machine works either, but he can hopefully interpret
the picture and give a proper diagnoses. We all use tools for
pentesting and all that matters is that we can accurately and
intelligently interpret the data and we don't need to fully understand
how the tool works or gathers the data as long as we can make some
sense of it. My Physics teacher used to laugh as he was responsible
for creating the MRI machine and he said Dr.'s don't know a damn thing
about how it works, but they get paid a LOT of money to read the
results where I got paid crap for building the tool.

Mike

On Wed, Mar 10, 2010 at 3:44 PM, Stephen Mullins
<steve.mullins.work@xxxxxxxxx> wrote:
True talent is hard to find in any realm of human endeavor.  However,
there is plenty of work to go around and not every security job
requires a super hacker.  There simply aren't enough "legit" people in
the industry to handle the monumental task of securing everything that
must be secured.  Sometimes you need Michelangelo and sometimes you
just need your house painted.

Quite a fine advertisement you have here though.

Steve Mullins

On Thu, Mar 4, 2010 at 9:08 PM, Adriel Desautels <ad_lists@xxxxxxxxxxxxx> wrote:
Posted on: http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.html

Comments, insults, etc. on the blog (or here) are more than welcome.

--

The Good Guys in the security world are no different from the Bad Guys; most of them are nothing more than glorified Script Kiddies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as actual hackers.

This is true for both sides of the proverbial Black and White hat coin. In the Black Hat world, you have script-kids who download programs that are written by other people then use those programs to “hack” into networks. The White Hat’s do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they’re actually paying for the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies have no idea what the programs actually do. Sometimes that’s because they don’t bother to look at the code, but most of the time its because they just can’t understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn’t..

This is part of the reason why I feel that it is so important for any professional security services provider to maintain an active research team. I’m not talking about doing market research and pretending that its security research like so many security companies do. I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company?

I am very proud to say that Everything Channel recently released the 2010 CRN Security Researchers list and that Netragard’s Kevin Finisterre was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned, these are the top security experts:

   * Dino Dai Zovi
   * Kevin Finisterre
   * Landon Fuller
   * Robert Graham
   * Jeremiah Grossman
   * Larry Highsmith
   * Billy Hoffman
   * Mikko Hypponen
   * Dan Kaminsky
   * Paul Kocher
   * Nate Lawson
   * David Litchfield
   * Charles Miller
   * Jeff Moss
   * Jose Nazario
   * Joanna Rutkowska


In the end I suppose it all boils down to what the customer wants. Some customers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, you’ve come to the right place.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Article on Pentesting Study Frameworks
    ... On Fri, Apr 15, 2011 at 4:19 AM, Felipe Martins ...     I'm planning on developing an article about pentest study frameworks, ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: Several Metasploit plugins and tutorials
    ... Not so much a ready-to-use module, but some discourse into Metasploit ...    bypassing proxies with metasploit. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Professional Scrpt Kiddies vs Real Talent
    ... there is plenty of work to go around and not every security job ...    * Kevin Finisterre ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • [TOOL] New w3af release!
    ...    The development team is proud to announce a new w3af release! ... Bonsai Information Security - CTO ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: PVPCWC 114 *results*
    ... the entrants identified any of them; Bob Stigger's clue 12 was ... Neither Kevin nor Mark can moderate the next contest, ...     Most of the liquor turned dark ...
    (rec.puzzles.crosswords)