From: Pete (pen_test_list@petesmithcomputers.com)
Date: Fri Jun 20 2003 - 04:31:29 EDT
<snip>
> > My question is this: how do white-hatters usually approach these
> > things?
<snip>
hellNbak answered:
> So let me get this straight. You engaged in completey
> unethical behaviour
> -- offered a free pen-test and now you are mad because you
> were not able to "scare" this guy into buying services from you?
You misunderstand me (perhaps deliberately?). I'm not in the security
industry. I was tipped that a local firm had security issues. I have
contacts who could provide the security that they need, so I went about
bringing the two together. Mr Director agreed to a pen-test on the basis
that our degree of success may or may not lead to a sales meeting. This
wasn't blackmail, just an honest attempt to show a reluctant (and smug)
manager that he was vulnerable. OK, we wasted some time (it seems) -
some people just don't want a mirror held up to them.
Miguel's remarks are more useful. I'm interested in the approach to the
psychology of this thing: what do you do when you know someone is wrong
about his/her security but just refuses to see it? If I'd waited for
this guy to approach me I'd have waited all my life. Likewise, if I'd
tried to sell him a full pen-test backed up with a complete security
report, he'd never have seen the need for it.
Well...any more comments would be interesting.
Pete
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT