Profile picture
, 11 tweets, 2 min read
My Authors
Read all threads
Among the 20-year old arguments we still haven't resolved in infosec is this one. Part of the inconclusiveness is that both sides of the argument are right, depending on unspoken premises. We all assume your premises are the same as mine.
Some organizations haven't yet gotten the basics down. They need pentests doing the basics. Other organizations have solved what hackers did yesterday and want pentesters doing things that hackers will do tomorrow.
The underlying thread brings up a slightly different topic. Defenders are treated worse than dogs. I'm referring to sniffer dogs in airports that search bags for drugs and bombs. The dogs become bored and disillusioned unless they are occasionally given successes.
You need to regularly give sniffer dogs a bag containing explosive materials or rugs. Likewise, you need to feed defensive teams random pentesters who they can catch.
But while organizations need practice at what they are designed to do, they also need pentesters thinking outside the box doing oddball things that challenge their preconceptions.
Too often pentester contracts are designed to limit the pentester to doing only the things the organization knows they can defend against. Orgs need unrestricted pentests where the pentesters are allowed to do anything.
I don't want to attack your main web server. I want to attack that server somebody in IT setup for retirees, which is not strictly part of the company, yet (once popped) has access to the internal corporate network.
Adversaries like Anonymous or the GRU are often found having used the simplest of techniques, like SQL injection or phishing. The lesson many take from this is that they only need to defend against such simple techniques.
But in truth, they could do more -- but the simplest techniques worked. In other words, this reflects the maturity of the defenders more than the maturity of the attackers. If suddenly every fixed phishing, such hackers wouldn't go away, they'd simply get more advanced.
We hear about Anonymous and GRU hacks that used simple techniques like SQL injection and phishing. We don't hear about NSA hacks. It doesn't mean the NSA isn't hacking, it means we don't hear about it.
Anyway, the point of this thread is that we've been debating for 20 years what a "pentest" ought to do, and we still haven't come to consensus on this. I don't suppose we ever will.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Robᵉʳᵗ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵉʳᵗ Graham
@ErrataRob
The following thread isn't terribly controversial. While new students might not realize this, "computer science" does not teach how to code. Instead, it teaches lots of useful information that coders might need, like O(n) or OS fundamentals.
The reason, I suspect, is that you can't really teach how to program any more than you can teach somebody how to play basketball. Sure, you can instruct them on some basics, but ultimately, it requires personal effort and practice.
If you want to become a professional basketball player, then you have to spend time on the court almost every day practicing until you get good.

If you want to become a professional programmer, then the same.
Read 35 tweets
Profile picture
Robᵉʳᵗ Graham
@ErrataRob
Dawkins is trending because of the typical Twitter outrage cycle. The text of his tweet is not important, it's the subtext, the meaning that readers insist on reading into it.
Hitler was kind to animals and a vegetarian. Yet, we can't say this because despite being true, the subtext is outrageous, with people insisting that somehow you support Hitler.
Things like "eugenics" is all around us, but we aren't allowed to use the e-word to describe. Couples practice it when they go to sperm banks and choose donors with the characteristics they like. Other couples use prenatal genetic screening.
Read 8 tweets
Profile picture
Robᵉʳᵗ Graham
@ErrataRob
This is not a complicated question: if you know it bothers others, then you know what the polite thing to do is.
"But airplane seats are designed to recline".
Yes, because much of the time the seat behind you is empty, or occupied by a short person, or that person is also somewhat reclining. That it's okay 70% of the time doesn't mean it won't bother people 30% of the time, you assholes.
Look behind you. If it's a tall person who isn't reclined themselves, or if it's a person with their laptop out, then it's a safe bet they'll have a legitimate grievance if you recline all the way.
Read 6 tweets

Related threads

Profile picture
David Roberts
@drvox
Right-wingers hate democracy so much they are openly threatening violence in Virginia, to the point the governor has declared a state of emergency. Can't wait to hear how bOTh siDEs are responsible for this.
Right-wing media is stoking the violence. They are eager for it. mediamatters.org/alex-jones/vir…
Right-wing threats of violence have literally sent a democratically elected legislator into hiding. gen.medium.com/death-threats-…
Read 4 tweets
Profile picture
Angus Johnston
@studentactivism
"If we bring down a great political party that should not be blamed for what happened, we begin to bring down the system. ... And I for one don't have anything better to replace it with." —Joe Biden on the GOP in 1973, at the height of Watergate.

In the same speech, delivered in May 1973, Biden said "although my Democratic colleagues won’t like me saying this, I think the two party system is good for the South, and good for the Negro and good for the black in the South." cleveland.com/politics/2019/…
Listening to the whole speech now. Two minutes in, Biden joked, pointing out a woman who arrived late: "This young lady knows I'm so powerful, she wants to get close to me. She just moved right up front here." cityclub.org/inc/audio-play…
Read 43 tweets
Profile picture
Christiaan Triebert
@trbrtc
A mother and 11 children were killed in an airstrike in Afghanistan last fall. We spoke to the father who was left to search for answers. The U.S. initially said it was not involved, but after our visual investigation, it changed its story. Thread 👇
The sole survivor of the family is the father and husband: Masih Mubarez. He was working in Iran when his wife Amina called him at 4 AM from their home in Mullah Hafiz, a small hamlet in Wardak Province. American and Afghan troops were inside their house, she said. It was a raid.
Seven hours later, Amina was dead. And so were their 4 daughters and 3 sons, including Mohamed Ilyas, pictured here not far from their family house where he was pulled out of the rubble, according to witnesses. Four young cousins, staying over at their aunt, were killed too. Mohammad Ilyas, seen here near his home in Mullah Hafez, Afghanistan, was 8-years-old when he died in a U.S. airstrike.
Read 18 tweets
Profile picture
Candice Bernd
@CandiceBernd
The Carrizo/Comecrudo tribe of South Texas has set up a resistance camp to protect a 154-year-old cemetery San Juan threatened by the president's border wall. The tribe's people are aboriginal to both sides of the Rio Grande. My dispatch from the border: truthout.org/articles/a-tri…
The tribe isn't just resisting the wall. They are also opposed to plans for fracked gas infrastructure on the border that residents say would turn their communities into sacrifice zones - including an LNG terminal that could decimate a federally-recognized Native sacred site.
.@NatButterflies's Marianna Treviño-Wright fears the wall could abet further buildout of fossil fuel infrastructure in the newly created "no man's land" behind the wall. While pipelines easily cross the border, asylum seekers can't.
Read 4 tweets

Trending hashtags

#OwnVoices #BlacksForYang #MedicareForAll #dmsales2019 #Police #TrumpRussia #hamilton68 #JenReadsRitas #LiberalismIsAMentalDisorder #DefendFreeSpeech #covingtoncatholic #BlackWallStreet #IStandWithLaura #6ix9ine #ChristchurchAttack #opsec #BlackLivesMatter #AtatianaJefferson #exercise #YangGangLove #twittertrolls #Walkaway #HumanityFirst #VijayDiwas #NYPD
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!