Skip to content
{ 2010 01 18 }

Shady Work

“So, you hack companies and then tell them that you found security vulnerabilities? And afterwards they hire you to show them what is wrong?”

This is one of the questions you get asked surprisingly often when you explain to people what you do for a living (and the answer is no: we don’t proactively hack companies and then sell our service. That’s what the mafia does). Although pentesting is a term more and more established in IT, the art of finding security vulnerabilities and actively exploiting them to verify the practical impact is still regarded as a rather shady work by many. There’s at least the presumption that all pentesters must’ve been blackhats in their past, as the skills required to do this job can only be acquired hanging out in the dark corners of the Internet, learning from 1337 h4X0rs who hack the gibson on a daily basis. Ok, frankly, you really don’t learn this stuff just by attending classes at university, but I think you get the point.

I guess this may be one of the reasons why from time to time, business offers of a, let’s say, rather questionable kind arrive at our doors. Security experts are in high demand it seems, on both sides of the law.

When you explain why you absolutely need to know what systems/networks are in scope (so we don’t accidentally attack an IP from a range close by, for example), many people drop a sentence about how interesting it would be to know what the competition is doing. Everyone says it with a wink and smile (and, one time, the promise of a small island in return), but sometimes, you’re not quite sure if it would really be out of the question. Competition’s tough these days.

At the other end of the spectrum, there are the phone calls asking if you also work outside of Germany (yes, we do) and what skillsets your “hackers” have (hmm, they’re like, good at what they do?). After some more inquiries, it turned out that this was not meant to be a pentest of a normal company network… suffice to say, we thankfully declined.

I’m being rather vague here to protect the innocent (i.e. me, so I don’t wake up next to this), but just to make this clear again: Either you’re a legit company who wants to know about potential security problems in your own stuff, or we can’t work for you. If you are a legit company in need of a pentest, the contact information’s on the website :).

Posted by phof on Monday, January 18, 2010, at 18:06. Filed under RedTeam. Tagged , , . Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

Post a Comment

Your email is never published nor shared.