From: Steve Fletcher (safletcher@insightbb.com)
Date: Thu Feb 22 2007 - 21:46:12 EST
Craig,
Thank you for the feedback. I appreciate the response. However, I would
like to dispute some of the claims in your original email.
I did send an email out to the list back in December when I was working on
the article in an effort to ensure I included accurate information.
Unfortunately, all of the responses I received were off-list so people such
as yourself were not able to refute some of the information that I received
if it were inaccurate. That being said, your feedback would have been much
more appreciated at that time instead of after the fact.
As for the GCIA and GCIH certifications, the suggestion to include these
came from peers on the pen-test list. I was told that the courses include a
day covering attacks so that is why they were added. I have not taken the
courses, so I could not confirm or deny this myself.
I also must disagree somewhat with your statements regarding terminology.
While you offer a detailed explanation for what things an ethical hacker
would and would not do, I have seen other sources with different thoughts on
this. Sadly, the security field seems to have many terms that fall into
this area. For example, I have seen people do a "penetration test" that I
would really consider a "vulnerability assessment." I understand that this
can be attributed to misconceptions in some cases but in others, I believe
it is more a matter of opinion.
That being said, I totally agree with your statement that such an assessment
must look at the internal network as well as physical security. Just
protecting a network from the outside still leaves it open to the biggest
threat of all, an inside attacker. I try to stress this whenever I am
speaking to someone about security. I also realize that this includes both
internal network and physical security.
Finally, I fully understand the statement regarding editorial review. To be
perfectly honest, I do not believe many editors at Certification Magazine
are highly technical, especially with regards to security topics.
Therefore, I do not expect them to do a serious technical review of any
articles submitted. In addition, many times, the articles are not overly
technical, so this is often not a problem. I also am not sure why they
started using the editor address instead of a specific address for each
author. That is very misleading.
If time had permitted, I would have submitted the article for peer review
but I was given the assignment with a fairly short notice. I tried to do
what I could to produce as accurate an article as possible given the time
constraints and the sources available. I am sorry you feel that it was
inaccurate.
Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+
Email: safletcher@insightbb.com
Web: http://safletcher.home.insightbb.com
-----Original Message-----
From: Craig Wright [mailto:cwright@bdosyd.com.au]
Sent: Thursday, February 22, 2007 4:40 PM
To: Craig Wright; pen-test@securityfocus.com
Cc: Steve Fletcher
Subject: RE: Ethical hacker article published
Next,
GCIA and GCIH certifications are not designed to aide in pen testing or
ethical attacks. They have a different focuus.
I do note that the editor association is a generic with all Certmag articles
which I missed in the last post - being that this is not something I would
generally read. So I appoligise for this error in my prior post.
Regards,
Craig S Wright
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:36 EDT