fsebugoutzone.org:9999

       Posts by metlstorm@infosec.exchange
 (DIR) Post #ASVobtHRde1sMvA8xM by metlstorm@infosec.exchange
       2023-02-09T19:03:26Z
       
       0 likes, 0 repeats
       
       @mjg59 I see you have met @fincham
       
 (DIR) Post #ASt8lwAuKWGY5a8t16 by metlstorm@infosec.exchange
       2023-02-21T00:58:47Z
       
       1 likes, 1 repeats
       
       Is anyone else amused that my literal tree does not use spanning tree to detect loops while literally spanning a tree … no? It’s just me isn’t it.
       
 (DIR) Post #AUM3HUiuUEAW8y9lmi by metlstorm@infosec.exchange
       2023-04-05T21:35:22Z
       
       0 likes, 0 repeats
       
       @riskybusiness @chort One of my frustrations with this view of pentesters/offense is that Not Having The Solution somehow invalidates our findings. To me, pentest is about providing empirical, as built, real world technical ground truth data about the behaviour of a computer system, to assist Risk Management (a discipline which, in the computer world, often lacks hard data) in making informed choices. The fact that the controls in place don&#39;t do what the user or owner expected is hard data. Its not changed by &quot;there&#39;s no good solution&quot; or &quot;look son, you don&#39;t understand business&quot; or &quot;there&#39;s no other way to transfer files&quot;. Its not to say that pentesters give good recommendations (we absolutely do not), but as a pentester, ultimately recommendations are not our expertise. Building stuff is hard. Building it inside the defective non-ideal environment of a corporate or govt entity, even harder. With all the politics and budget and tradeoffs, yeeeeesh not the job for me. We don&#39;t know all (or even any of) these things when we make reccs, we&#39;re just doing our best, because someone once upon a time at the dawn of @stake or whatever went &quot;oh god what are we supposed to do&quot; and @Mudge  or @alex or whoever went &quot;wellll i guess we got some ideas...&quot; and that got codified into &quot;Pentest Reports have Recommendations&quot;. If I had my way, they wouldn&#39;t. We would say &quot;here is the behaviour of your systems when they are used with Malice&quot;, and then different people would cogitate on the nasty mishmash of technical controls, policy, detection, money, usability, etc tradeoffs that would improve it in the real world. Ultimately, the fact that security needs real world solutions, not pentest reports,  is kinda why we we sold the Insomniasec we-only-do-technical-busting farm to a bigger entity that was equipped to handle all the other parts of the job. Customers want solutions, and all I got is _really detailed_ problems 😬I never claimed to be an expert on Fixin, just Bustin&#39;. Thats why my biz card said &quot;Unix Berzerker&quot; as my title, not &quot;Sysadmin of the Year&quot;. They&#39;re different sets of skills, and tbh, I feel like saying &quot;you&#39;re a bad boxer because you don&#39;t know how to do facial reconstruction surgery after you punch someone in the face...&quot; doesn&#39;t make you less punched in the face.
       
 (DIR) Post #AUM3HVXxQR0AhI2XLs by metlstorm@infosec.exchange
       2023-04-05T21:36:02Z
       
       0 likes, 0 repeats
       
       @riskybusiness @chort @Mudge @alex also pat&#39;s wrong, you can totally still listen to the show 🤗
       
 (DIR) Post #AUM3WwUrVY9scox4tM by metlstorm@infosec.exchange
       2023-04-05T21:48:39Z
       
       0 likes, 0 repeats
       
       @alex @riskybusiness @chort @Mudge Who wrote the first pentest report! Who decided recommendations were a good idea?! I blame you, tryin&#39; to be an internet goody-two-shoes instead of just rm -rf&#39;ing them all and stopping computers before they could get started