RE: Penetration test of 1 IP address

From: Sels, Roger (roger.sels@gov-fbi.net)
Date: Thu Feb 09 2006 - 10:38:50 EST


Hey,

I see what you mean, but do we really dispose of enough information to
judge whether or not it is ethical to help Edmond ?
Whether or not it's a sham and his customer is being ripped off ? And if
so, is that really Edmond's fault ?

Maybe, just maybe, Edmond is in a situation we've all been in at some
point sooner or later during our careers. You join a company, get
bombarded to e.g. the Cisco specialist and a lot of training and coaching
and what not gets promised to you.
You are highly motivated at proving yourself worthy of this commitment
from your employer, and eager to learn you inquire with your trusty old
pal Google. And all appropriate mailing lists to the subject at hand. You
even get yourself some books and might consider trying to get certified in
that domain.

6 months from now, you'll have picked up the skills (or some at least),
the company's not going to see the point of furthering your training as
"well you've learned it all by yourself, you eager chap" and that's it.
Long live Company X's new Cisco Specialist.

But yes, it does suck for his customer but that doesn't necessarily have
to reflect bad on Edmond personally. Just on his employer ;-). Possibly on
the customer as well for being knowledgefull enough that he needs a
security test but not researching who in his area seems really specialised
in security testing. (if Edmond's company really was, why did he come to
us for help and not "the specialists" internally?? )

This said, show me a company that has ALL the experts on board it claims
to its customers and I'll show you a VERY surprised face ;-)

I also assume the customer has met Edmond, and he's been honest enough to
have stated he has "limited experience".

Kind regards,

Roger

On Thu, February 9, 2006 10:10 am, T0aD said:
> Hello all,
>
> Really Im a bit surprised to see you guys taking in consideration such
> questions.
> I mean, Im not ok against beginners questions, thats not the point,
> there is no guru nor beginners, we are here with differents
> experiences and levels of knowledge (maybe Im better cook than aleph
> one !), but sometimes we have to understand what we're doing when
> giving away some information to some people.
>
> Here we have some guy, working for some company, having a customer's
> problem to resolve, thats to say to provide a pentest of a IP address.
> That is fine. The problem being: where is the precise question ?
> Should we help him to 'automate' some pentest ? Should we teach him
> how to actually do his job ? What kind of company is giving its
> customers such a poor service like assigning an employee with no clue
> how a pentest could be done ?
>
> Its like asking me to make some accounting for a company, I dont have
> the professionnal knowledge about it. You really think it would be
> fair for me to be able to invoice some customers for accounting ? In
> my world, it's definitely not.
> Do you really want to help such companies to spread and making fake
> and pretending people richer ? Me definitely not.
>
> Nothing against you edmond, don't take it personaly but if you are not
> skilled enough to even start a pentest, refuse it, except if the
> customer is aware of it and is kind enough to give you money to train
> yourself, otherwise be aware you're stealing someone.
>
> I think I was nice enough to get published here, maybe Im too
> idealistic or whatever, but at least I wanna know what you think about
> it or if Im missing a point somewhere.
>
> Have a nice day.
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

-- 
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT