Monday, April 17, 2006

http://teh-win.blogspot.com/ has (as usual) an amusing read up, which at one step harps on a point that I can't support enough: 0days != hacking. Almost all "real" hacking is done via transitive trust (thus the same goes for pentests). 0days allow you to more quickly get _some_ trust to exploit transitively, but the "real" work is done on transitive trust. And transitive trust and "real" hacking gets too little credit at security conferences, mainly because any "real" research here is by direct implication illegal ("... I wrote this worm that exploits transitive trust ... and I have some empirical data on it's spreading capabilities *cough* ...").

Now I just need to find a dictionary that explains me what "branler la nouille en mode noyau" means ;)

4 comments:

maryanne7 said...

"moi je fais de la sécu au lieu de me branler la nouille en mode noyau"

one translation: "I do security instead of 'shaking my dick'"

Basically, saying that she knows her shit, and doesn't go around talking smack like guys do.

As for "en mode noyau", I'm not entirely sure but here's one meaning:
http://fr.wikipedia.org/wiki/Noyau_(informatique)

She's rebuking people who don't give pentesters (like her) the credit due.

maryanne7 said...

Also, she saying that at least she can do more than just "play with her kernel" ;)

Martin Bishop said...

As someone interested in moving into the security field, I'm really glad to see people being more open about what the real requirements are for their jobs.

I doubt I'm the only person who would benefit from and be entertained reading more about the unglamorous side of assorted security-related jobs. I hope to see more of this sort of frank honesty in the future.

Emilie said...

Being read by a nice looking security star is always an ego boost! Thanks Halvar for your nice words.

While I do not like being despised by most "vocal" security people (mailing lists, blogs, ...) for being a security consultant, I do not believe "real" hacking has its place in security conferences.

Once upon a time it could be nice to have someone talk about real world methodologies (I found the excel file with all the passwords), but it would get old really fast (I found the domino database/text file/nis domain/unprotected ldap server with all the passwords).

The only fun part is in hacking custom stuff, but you can't talk about this.

Watching a talk about uninitialized local variables, even if I know I'll never need this knowledge in "real life", is way more exciting than another honeypot talk.