|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mike Messick (mikem
tridigitalenterprises.com)
Date: Fri Jul 17 2009 - 22:11:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I agree with you wrt pen-testing companies - my comments were focused
solely on individuals, I'm not sure there'd be any legitimate/good/ethical
reason for a PT company (or individuals working for that company) to keep
something anonymous.
-Mike.
On Fri, 17 Jul 2009, Adriel T. Desautels wrote:
> That makes good sense Mike, point well taken. But for a security
> company that offers penetration testing and
> claims to have their services driven by manual testing, wouldn't it
> benefit them to release research in the form
> of advisories, and dare I say in some cases, exploits? It could very
> well be different for individuals, can't argue
> with your point there.
>
>
>
>
> On Jul 17, 2009, at 10:19 PM, Mike Messick wrote:
>
> >
> > A couple of thoughts on this:
> >
> > Sometimes employers prohibit employees from using their real names
> > if it
> > can tie them back to where they work, for legal and other reasons
> > (like
> > people associating the employer with the researcher even though the
> > researcher did all work on their own time.) Some employers cannot
> > afford
> > to have this happen because of the public perception that the employer
> > somehow sponsored the work.
> >
> > Imagine if I work for the FBI and in my own time I develop some way to
> > crack wireless networks in very short order. Even though my
> > employer had
> > no participation in this effort, when someone "discovers" where I work
> > and it gets slogged through Wired or /. the entire world then thinks
> > the
> > Feds are out to get them.
> >
> > I have several friends who perform some amazing security research
> > and due
> > to where they work they are not able to use their real names when
> > releasing findings/products to the community. I have yet to find
> > anything underhanded about them, their work, or their employer.
> >
> > Hope this helps,
> > -Mike.
> >
> > On Fri, 17 Jul 2009, Adriel T. Desautels wrote:
> >
> >> You are an individual researcher. And why might I ask do you need to
> >> hide behind an alias? If you
> >> do research that is both legal and ethical and if you follow the best
> >> practices that you can follow, then
> >> why wouldn't you want your name associated with your hard work?
> >>
> >>
> >> On Jul 17, 2009, at 8:21 PM, Stack Smasher wrote:
> >>
> >>>
> >>> I think this discussion is seriously flawed. I am a security
> >>> researcher who uses several different online aliases when I am
> >>> interviewed so I can speak without the fear of corporate or legal
> >>> repercussions. My professional person is never tied to my online
> >>> presence.
> >>>
> >>>
> >>> I like it better that way.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Jul 17, 2009 at 7:05 PM, Tim <tim-
> >>> pentestsentinelchicken.org> wrote:
> >>>> Anyway, I didn't say Only use facebook did I? Use any means
> >>>> possible. Bottom line is though, if the company has researchers,
> >>> then
> >>>> the company will have published advisories. If they've done that,
> >>> then
> >>>> you should be able to get a good idea of their capability by doing
> >>>> research on their research.
> >>>
> >>> Yeah, I agree that something novel should be getting generated.
> >>> Perhaps a better way to go about obtaining it, is simply to ask your
> >>> vendor what research their consultants have published. For instance
> >>> most of what I publish isn't tied directly to my company as I do
> >>> quite
> >>> a bit of it on my own time.
> >>>
> >>>
> >>>> Btw, if you comment on the blog, I might post it. :)
> >>>
> >>> Call me old school, but I actually like mailing lists...
> >>>
> >>> cheers,
> >>> tim
> >>>
> >>> ------------------------------------------------------------------------
> >>> This list is sponsored by: Information Assurance Certification
> >>> Review Board
> >>>
> >>> Prove to peers and potential employers without a doubt that you can
> >>> actually do a proper penetration test. IACRB CPT and CEPT certs
> >>> require a full practical examination in order to become certified.
> >>>
> >>> http://www.iacertification.org
> >>> ------------------------------------------------------------------------
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> "If you see me laughing, you better have backups"
> >>>
> >>>
> >>
> >>
> >>
> >> Adriel T. Desautels
> >> ad_listsnetragard.com
> >> --------------------------------------
> >>
> >> Subscribe to our blog
> >> http://snosoft.blogspot.com
> >>
> >>
> >> ------------------------------------------------------------------------
> >> This list is sponsored by: Information Assurance Certification
> >> Review Board
> >>
> >> Prove to peers and potential employers without a doubt that you can
> >> actually do a proper penetration test. IACRB CPT and CEPT certs
> >> require a full practical examination in order to become certified.
> >>
> >> http://www.iacertification.org
> >> ------------------------------------------------------------------------
> >>
> >
> >
>
>
>
> Adriel T. Desautels
> ad_listsnetragard.com
> --------------------------------------
>
> Subscribe to our blog
> http://snosoft.blogspot.com
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]