zlacker

[parent] [thread] 7 comments
1. x0x0+(OP)[view] [source] 2024-01-04 01:44:16
The app and api are on the internet anyway, so you don't need to be a pentester to test it w/ no intention of reporting.
replies(1): >>random+U1
2. random+U1[view] [source] 2024-01-04 02:05:32
>>x0x0+(OP)
You don't need to be, but there are some big advantages:

1. You get to test the flaws in an environment where nobody will raise an eyebrow. If you go straight for the production system, it is likely your early attempts will visibly show up in the logs.

2. You get paid to carry out malicious deeds. That's a double win.

It would be kind of silly not to.

replies(1): >>x0x0+v6
◧◩
3. x0x0+v6[view] [source] [discussion] 2024-01-04 03:07:13
>>random+U1
I think it would be silly to do so. You're pulling down $20k+ contracts for a week's work. It's a pretty good gig and completely legal.
replies(1): >>random+j7
◧◩◪
4. random+j7[view] [source] [discussion] 2024-01-04 03:19:09
>>x0x0+v6
Why do you think it would be silly to take the job?

The second two sentences read like excellent reasons why you should take the job (even if they are just a repeat what I already said in different words).

I must have missed something.

replies(1): >>x0x0+Yb
◧◩◪◨
5. x0x0+Yb[view] [source] [discussion] 2024-01-04 04:04:48
>>random+j7
I meant silly to use exploits find while performing a pentest for malicious purposes.

You get well paid and it's legal.

replies(1): >>random+Hc
◧◩◪◨⬒
6. random+Hc[view] [source] [discussion] 2024-01-04 04:13:39
>>x0x0+Yb
Then what do you need pen testers for? With an offer like that, any threats to your system will come work for you instead.

The reality is that you don't get paid well if the data is worthless. You only get paid well when the data is worth orders of magnitude more than what you're being offered. If you are inclined to break that law, that's a pretty nice carrot dangling there.

If you are so inclined, why wouldn't you take the job and report the not so crafty exploits to bring in the sweet, sweet paycheque and use the really juicy exploit to also go after the even sweeter data? It's a total win-win situation...

...unless you get caught, but if you are so inclined that's not exactly on your radar.

replies(1): >>x0x0+c12
◧◩◪◨⬒⬓
7. x0x0+c12[view] [source] [discussion] 2024-01-04 17:38:51
>>random+Hc
My claim is that people tend not to do crime if there's a very well-paid alternative, and I think I have pretty good empirical backing on that one. Also, our data is probably not worth that much. We do pen testing so we don't get popped and leak our customers data, likely losing some of our customer base (even if it isn't worth much, not having it leaked is); because soc2 essentially demands it; and because smart customers care more about pentests done by good firms than soc2.
replies(1): >>random+A42
◧◩◪◨⬒⬓⬔
8. random+A42[view] [source] [discussion] 2024-01-04 17:53:32
>>x0x0+c12
Exactly. So what do you need pen testers for[1]? Just pay the 'bad guys' to go away.

[1] Okay, regulation, but the need for such regulation is still in question.

[go to top]