> You come to my company, you use 'proprietary technique' to > root some box, and then what? You will not tell me how you did it, because it is > 'proprietary technique'? On the matter of that, while I was doing penetration testing we always provided report to customer in which was stated exactly how specific hole can be exploited to get access or anything else. Of course, tools we use are our own and I don't think customer should get anything about them. But, they should know how security hole can be exploited and maybe into some details how we found it. > Well, I don't know about others, but all the clients we deal > with are not the ones that accept "I can't tell you" as an > answer, or "It's secret" as an argument. No, I'm not trying to sound 'important' or to > impress anyone, it's just reality with big companies (at least in my experience, in > Asia-Pacific region). I agree that "I can't tell you" is no acceptable answer for customer. But they don't need to know our techniques, they need to know result and possible problems and some paths that lead to that result. (IMHO :) > a) *understand* client's infrastructure/setup well > b) find *all* security problems in time allocated - not just > tell them something like "I rooted your DNS server, > hehehe..." and stop there Of course, after all we're presuming that we are not some kind of kiddie "hackers", but professionals whose goal is to make customer satisfied. Bojan Zdrnja
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 06:20:49 PDT