Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai <laurelai@xxxxxxxxxxxx>]

On 1/7/12 6:20 PM, Valdis.Kletnieks@xxxxxx wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
>
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
>
> And the kids are going to land a $1M performance bond, how?
>
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
>
>> their so called expertsd are full of shit, then they fire said experts
>> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
>
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
>
Well enjoy your doomed industry then. Ill continue to take great 
pleasure as the so called experts get owned by teenagers.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/