tag:blogger.com,1999:blog-8539880144347728238.post7716259295406301620..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: Response to How to Choose a Pen TesterUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-8539880144347728238.post-18303098501041044052009-02-24T09:20:00.000-05:002009-02-24T09:20:00.000-05:00Hey Bob,I've been 'shadowed' on quite a few engage...Hey Bob,<BR/><BR/>I've been 'shadowed' on quite a few engagements. The reasoning has been everything from wanting to learn to security protocols. I'm sure at some level trust was also a reason.dean de beerhttps://www.blogger.com/profile/13744345182407258839noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-35929125884945706062009-02-23T17:23:00.000-05:002009-02-23T17:23:00.000-05:00Are references from other companies the best means...Are references from other companies the best means through which you gauge trustworthiness of a pentester? <BR/><BR/>Has anyone had a client request full time monitoring of pentester actions throughout the course of an engagement?<BR/><BR/>I guess my question becomes, "Would more l33t skills outweigh trustworthiness if you could provide some preventative or detective comfort (e.g. monitoring, traffic logging, etc) in the pentesting process?"<BR/><BR/>Just a thought, I may be out of my mind...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-57217168332096674242009-02-21T08:18:00.000-05:002009-02-21T08:18:00.000-05:00@dmc that was pretty much the point i was trying t...@dmc that was pretty much the point i was trying to make. Unethical behavior wouldnt be tolerated by any halfway decent business.CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-5424745082932490402009-02-21T07:09:00.000-05:002009-02-21T07:09:00.000-05:00I wonder if he'd feel different if he was compromi...I wonder if he'd feel different if he was compromised by a vulnerability the trustworthy but not as technically skilled pen tester failed to highlight?<BR/><BR/>I think it's fair to assume a pen tester is trustworthy if you're hiring a reputable company.dmchttps://www.blogger.com/profile/09172915050818183213noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-82173968723837035252009-02-20T23:28:00.000-05:002009-02-20T23:28:00.000-05:00Hey Thurso...get a grip! Open discussion of findi...Hey Thurso...get a grip! Open discussion of findings is needed in this community. Most items can be related to business processes, not individual ass-hats. Hiding the problem does not help the whole, talk about what you find in the non-attribution context of systemic failures and we all gain.<BR/><BR/>as for the thin-blue-line security site..yea FAIL.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-67720776748214547932009-02-20T18:28:00.000-05:002009-02-20T18:28:00.000-05:00Warning...Warning...TECHNO-BABBLE..."First-ever" w...Warning...Warning...TECHNO-BABBLE...<BR/><BR/>"First-ever" wireless firewalls...// easily implemented that easily<BR/>erases (most professionals use words like 'patch' or 'mitigate') vulnerabilities...and best of all<BR/>Patent-pending technology (== fail) <BR/><BR/>the rest of his techno-babble just confirms this is just another half-assed attempt at security.Thursohttps://www.blogger.com/profile/06814176490700109842noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-17862152418297543432009-02-20T18:06:00.000-05:002009-02-20T18:06:00.000-05:00Damn. I wish I would have read you post earlier.Af...Damn. I wish I would have read you post earlier.<BR/><BR/>After reading the first post, I used the score card approach. I picked my Grandmother to do my pentest. I trust her a lot, and know she would never do anything to harm me.<BR/><BR/>I am looking forward to a successful engagement.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-63383009699790364102009-02-20T17:52:00.000-05:002009-02-20T17:52:00.000-05:00I agreed with Branigan's post. Trustworthiness is ...I agreed with Branigan's post. Trustworthiness is of prime import when hiring a pen tester. Do I think a pen tester would be in biz long if they weren't also trustworthy? Obviously they wouldn't last.<BR/><BR/>I do agree with your point that there's no harm done and in fact, it benefits the community to share findings as long as they don't divulge details about who the client is.davehullhttps://www.blogger.com/profile/13189230083815485114noreply@blogger.com