zlacker

[return to "Ask HN: Any felons successfully found IT work post-release?"]
1. public+l6[view] [source] 2024-01-03 19:17:40
>>public+(OP)
Thank you all for your perspective, and suggestions.

I was on a bad psychedelic trip, accompanied with some other issues at the time and ending up making threatening statements to a very high level official, but no battery occurred whatsoever. Thank goodness, or I would probably not be writing this message

◧◩
2. x0x0+s9[view] [source] 2024-01-03 19:32:31
>>public+l6
You could also consider working as a consultant or external pen tester. When we hired our pen testers, we did not run background checks on them, not least because they have no access to customer data so it's much less of a concern.
◧◩◪
3. zamada+Qb[view] [source] 2024-01-03 19:44:04
>>x0x0+s9
If the people you're paying to find weaknesses in the security system are assuredly never going to find a way to access internal data then how did you conclude you needed a pen tester in the first place? I mean, it's probably the right conclusion but only precisely because they'd find a way to access things they shouldn't be able to.
◧◩◪◨
4. x0x0+Fj[view] [source] 2024-01-03 20:20:52
>>zamada+Qb
We spin up a clone of prod and point them at that.

Certainly if a weakness is found in the clone it's also present in prod, but that's what contracts are for. And we also review logs to make sure.

edit: a clone of prod w/ only test data in it, not prod data.

◧◩◪◨⬒
5. random+xp[view] [source] 2024-01-03 20:46:54
>>x0x0+Fj
How do you know what you are looking for in the logs?

If you have the foresight to be able to recognize a malicious action from the logs, why not have the software block those actions from the start?

◧◩◪◨⬒⬓
6. x0x0+wq[view] [source] 2024-01-03 20:50:57
>>random+xp
We log all accesses and flows. So eg if our pentesters found a vulnerability in an endpoint, we can retrieve every post against that endpoint and (1) verify the pentesters didn't exploit it against prod, and (2) verify that it hasn't been exploited by anyone else.
◧◩◪◨⬒⬓⬔
7. random+0s[view] [source] 2024-01-03 20:57:50
>>x0x0+wq
Of course, that only works if the vulnerability is reported. There is no reason for the malicious actor to report the vulnerability they have chosen to exploit.

What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?

◧◩◪◨⬒⬓⬔⧯
8. unethi+rD[view] [source] 2024-01-03 22:04:53
>>random+0s
It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.

Then you talk about "discovered and revealed vulnerabilities". But, your first sentence talks about "discovered vulnerabilities not revealed".

What you may be wanting is a honeypot, where a pentest client intentionally puts some vulnerabilities of various exploit difficulty into the clone environment to ensure pentesters are doing their job.

◧◩◪◨⬒⬓⬔⧯▣
9. random+PV[view] [source] 2024-01-04 00:30:51
>>unethi+rD
> It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.

How so? Presumably most pen testers are working in good faith. But, if there is a malicious actor in their midst, that individual would not disclose any vulnerabilities they intend to exploit, no. What would be the point? That's just a really good way to get caught.

> Then you talk about "discovered and revealed vulnerabilities".

Yes, that's right. While it is theoretically possible for all your pen testers to be working together maliciously, if you are careful in your employment practices you can make this highly unlikely.

As such, if your data shows that 100% of all known vulnerabilities were independently discovered by multiple testers, then there is reasonable confidence that any malicious actor's failure to disclose a vulnerability will still be reported by someone else.

But if that figure is less than 100%, and especially if it is considerably less than 100%, then there is much more doubt cast on another pen tester in your organization's ability to find the same vulnerability. Here you have a problem.

◧◩◪◨⬒⬓⬔⧯▣▦
10. x0x0+b31[view] [source] 2024-01-04 01:44:16
>>random+PV
The app and api are on the internet anyway, so you don't need to be a pentester to test it w/ no intention of reporting.
◧◩◪◨⬒⬓⬔⧯▣▦▧
11. random+551[view] [source] 2024-01-04 02:05:32
>>x0x0+b31
You don't need to be, but there are some big advantages:

1. You get to test the flaws in an environment where nobody will raise an eyebrow. If you go straight for the production system, it is likely your early attempts will visibly show up in the logs.

2. You get paid to carry out malicious deeds. That's a double win.

It would be kind of silly not to.

◧◩◪◨⬒⬓⬔⧯▣▦▧▨
12. x0x0+G91[view] [source] 2024-01-04 03:07:13
>>random+551
I think it would be silly to do so. You're pulling down $20k+ contracts for a week's work. It's a pretty good gig and completely legal.
◧◩◪◨⬒⬓⬔⧯▣▦▧▨◲
13. random+ua1[view] [source] 2024-01-04 03:19:09
>>x0x0+G91
Why do you think it would be silly to take the job?

The second two sentences read like excellent reasons why you should take the job (even if they are just a repeat what I already said in different words).

I must have missed something.

◧◩◪◨⬒⬓⬔⧯▣▦▧▨◲◳
14. x0x0+9f1[view] [source] 2024-01-04 04:04:48
>>random+ua1
I meant silly to use exploits find while performing a pentest for malicious purposes.

You get well paid and it's legal.

[go to top]