On Thu, 12 Apr 2001, Riley Hassell wrote: > A good way to test a hacker's skills is to put him on a random box with only > console access. ( no way to access outside exploits ) > > His tools: > A compiler, find, ps, a debugger and his intuition. > ( lsof and strace if he's real lucky. ) > > Give him/her 12 hours to succeed. (without getting up to browse a website > for vulnerability information) This might be a good way to test someone's skills but it is a pretty bad way to do a penetration test. Can you stop a real attacker from searching the Internet? (Even most insiders in very isolated environments are allowed to go away regularly and do whatever they please.) Can you restrict the window of opportunity to 12 hours? (Most "mission-critical" systems must run in 24*7 mode.) A penetration test done this way would produce extremely misleading results. Even more misleading than those of an average pentest are... > It takes true talent to succeed in an unfamiliar, secure situation. If "success" means "security breach" then either 1. the situation in question is not secure, or 2. the success is impossible. :) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 01:03:59 PDT