From: Bob Radvanovsky (rsradvan@unixworks.net)
Date: Thu Dec 13 2007 - 23:14:42 EST
See comments below...
-rad
----- Original Message -----
From: Erin Carroll [mailto:amoeba@amoebazone.com]
To: 'Joseph McCray' [mailto:joe@learnsecurityonline.com], 'pen-test' [mailto:pen-test@securityfocus.com]
Subject: RE: I want the PT list back....
> Thank you for this post Joseph. It's posts like this discussing the more
> esoteric and non-technical aspects of pen-testing as a community of
> professionals where I get the most bang for my buck. Tools releases and
> various techniques are always useful and illuminating and in the almost 3
> years since taking over moderation of the list from Al Huger I've lost count
> of the number of posts asking "What tool does X" questions. And you're
> right, it does take some restraint to not only refrain from the inevitable
> "just google it" but to also allow posts from members along the same vein go
> through.
(clapping hands) Here, here. But, we shouldn't discount Google as a valuable tool and asset, either. ;)
> I'm somewhat on the other end of things as the moderator for the list. I try
> to be as hands-off in discussions as possible and let members contribute
> rather than answer questions myself. It's too easy to cheat and write up a
> nice thorough reply to a submission while I'm processing posts and steal all
> the thunder... though it'd let me look all-knowing :)
Is this where the 'Happy-Fun Ball' comes into play? 8)))
> Jerry Shenk also brought up a good point regarding not knowing a particular
> area of security very well and being hesitant to ask for fear of flames.
Y'know....I've always had the attitude as a student, as a teachers aide, and as the teacher himself, which is: "the only stupid question is the question never asked". The problem with that is that this statement was made pre-Internet, pre-Google. Nowadays, *everybody* has access to *everything*, everywhere, anytime. Outside of giving the starting "duh" statement, how should we treat novices (er..."newbies") who don't know how to look for the answer? Then again....*DUH*, right? Still...be nice to 'em, guys. No "FRESH MEAT" signs, OK?
> I've been in the IT sector and security in particular for a long time and I
> still run into areas where I need assistance or don't have enough depth. A
> recent case in point: I was looking for a enterprise multi-user password &
> authentication solution (Password Safe and similar too limited/more
> single-user oriented) and my google-fu was pulling up a lot of fluff.
Google-Fu??? So...you'd be Master Phong??? ;)
> Aside from Cyber-Ark's solution I was wandering in the dark for other options
> to explore. Luckily I was able to ping some contacts and was turned on to a
> wealth of other tools. For some list members, a lot of the questions &
> discussions I let through are basic or prompt responses of "maybe someone
> else who knows wtf to do should be doing it". However, even some of the
> "dumb" questions can uncover something new and interesting.
To be honest with you (and everyone else on this list), the *BEST* "resource" are yer friends, pals, bud, bros (whatever 'ya wanna call 'em)...they represent the "hidden knowledge" that Google doesn't have. Essentially, they have the *experiences* that Google can't replace. ;)
BTW, I am NOT bashing "Google". Just that personal networking has a much better strength than a machine -- any day, any time.
>
> When I have some more time, I'll follow up with some of the challenges &
> areas I'm running into.
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Joseph McCray
> > Sent: Monday, December 10, 2007 9:51 PM
> > To: pen-test
> > Subject: I want the PT list back....
> >
> > Guys, I've been on this list for years. And for the last few
> > years I've done a healthy amount of quiet complaining about
> > the questions and the posts on this list.
> >
> > So I'm gonna go out on a limb here....
> >
> > 1. For the record this is not me trying to post for glory and
> > fame or to try and show how smart I think I am. This list is
> > full of people that have forgotten more about pentesting than
> > I could ever hope to learn.
> >
> > 2. This is not me saying the skill level of the members is
> > declining, or anything negative about the list members, or
> > new pentesters on this list for that matter. We were all
> > where new to pentesting, or new here once.
> >
> > I remember several years ago when I wished I had skill to
> > understand some of the questions people asked on this list. I
> > remember when people on this list would ask questions about
> > situations they were facing while on a assessment. The person
> > asking the question would list all of the references he'd
> > already read, what he'd already tried and the error message
> > he'd received. And amazingly - people would actually help....
> >
> >
> > Are people afraid to post that kind of stuff anymore or what?
> > Have our NDAs pushed us to just talking with our buddies in
> > SILC servers, or just posting stuff in blogs?
> >
> > There are a ton of really smart people on this list. I see
> > occasional replies from some big names in the industry -
> > really smart cats.
> >
> > I'm doing 3 pentests a month now, and when I'm not working I
> > live on security blogs, and silc servers with my buddies - I
> > don't really follow the security lists and closely as I used
> > to because it just doesn't seem like people are sharing as
> > much information as they used to on here.
> >
> > I don't know if anyone else is feeling this way about this
> > list, if you disagree with me say so....
> >
> >
> > Guys here is what I'm dealing with out there - what about you?
> >
> > * NAC Solutions (tricky, but not as tough as Host-based IPS -
> > MAC/IP spoofing still gets by of the stuff I've run into)
> >
> > * Host-Based IPS Solutions (really tough to beat - at least for me)
> >
> > * Wireless IPS Solutions (a joke)
> >
> > * 802.1x - I haven't seen it on an assessment yet.
> >
> > I'm having to hit web app, and client-side stuff to get into
> > the networks from the outside. Port scanning and VA tools are
> > damn near useless from external.
> >
> > For me web app, to back end server, to the LAN is so rare it
> > might as well be non-existent. Web app to DB - yeah...but not
> > to internal LAN for me very much.
> >
> > Spear phishing with or without client-side exploits is it for
> > me for external to internal. <-- How about you guys?
> >
> > Internal networks are still a mess, riddled with old
> > vulnerabilities - even when the customer has patch management
> > solutions. I can't be as noisy trying to find them like the
> > good old days - but they are still there - the bigger the
> > company the more legacy crap they have.
> >
> > Rarely I find a Linux box on the client's network that I can
> > use to set up shop these days so I've had to develop a
> > collection of command-line windows tools. Anybody else in
> > this boat? If so what's in your toolkit?
> > I started with meta.cab from Phoenix 2600 and have been
> > customizing it.
> >
> > For wireless I pretty much just use Kisment/Aircrack-NG, but
> > I'm really interested in wicrawl. Anyone using it on pentests yet?
> >
> > Inguma looks interesting, I run into Oracle on tests a lot.
> > Is anyone using it - if so what do you think?
> >
> > Some attacks that look really interesting - but I don't know
> > of anyone doing them in assessments? Can someone shed some light?
> >
> > * DNS-Rebinding
> > * Oracle Cursor Snarfing
> > * Remotely fingerprint OS Language packs
> > * Remote SQL/PHP Shell Injection
> >
> > I look forward to hearing from you guys....let me know what
> > you are running into.
> >
> >
> >
> > j0e
> >
> >
> >
> >
> > --
> > Joe McCray
> > Toll Free: 1-866-892-2132
> > Email: joe@learnsecurityonline.com
> > Web: https://www.learnsecurityonline.com
> >
> >
> > Learn Security Online, Inc.
> >
> > * Security Games * Simulators
> > * Challenge Servers * Courses
> > * Hacking Competitions * Hacklab Access
> >
> > "The only thing worse than training good employees and losing them
> > is NOT training your employees and keeping them."
> >
> > - Zig Ziglar
> >
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:16 EDT