Looking Beyond Passwords

Bump!

interesting read. sounds like a good service by ibouncer.

Greetings All:

Ok, I so hate for one of my first posts to be something that sounds like a flame, but I'm feeling the need to advise webmasters against becoming unknowing victims of their own good intentions.

For starters, let me say that I am a court certified information security specialist and data integrity expert, and have spent the last several years doing information security research for the pentagon, and hacker profiling for the FBI.

I have looked at this "ibouncer" thing, and as an expert, I strongly warn everyone against its use.

Why? For several reasons:

1. Where is the listing of qualifications? Data integrity and information security is serious business, and in my life I have never seen a reputable company that doesn't post a curriculum vitae on its site. The ibouncer site contains no identifying information at all, much less credentials, a list of certifications, and industry respected referrals.

2. Why do they fail to tell you, the webmaster, that hiring someone to do a penetration test of a webserver that is on a network that you don't own, is a felony? Yes, a felony. You as a webmaster can not grant a third party permission to do a risk assessment of a system that you don't own. And, even if you did own the webserver, you can not grant someone the right to do a risk assessment of it if it's located on a NETWORK that you don't own. You would need written permission from the CEO and/or CTO of the company that owned the server and/or network. I can guarantee you, that such permission is not going to be given to someone that has no posted credentials.

3. Posting a logo on your website saying that it's secure? As a hacker profiler, I can guarantee you that it nothing but an invitation for hackers to try and exploit you. It's a big old target that reads "you have to be good to get in here, wanna try?". Even fortune 1000 companies that I did risk analysis for would require NDAs (non disclosure agreements), because they didn't want anyone on the outside to know that a penetration test was performed. Why? Because, as I've said, it's an invitation to hackers.

In short, this is NOT the way to go about doing things. Although I'm sure ibouncer's intentions are well meaning, I feel that their "security banner" program, coupled with the glaring lack of information on their website, speaks volumes about their lack of experience in this field.

Keep in mind, I don't know anyone from the company personally, and know nothing about them. But, neither do you, the webmaster, because their website TELLS you nothing about them.

2 BoyAlley: thanks for information.......

Actually, I have over 10 years of experience in the security field; working with some of the largest, most targeted organizations in the world. If anyone cares to discuss the technical and or security merits of our system, please contact me offline. I have never lost a customer because they felt we were under qualified, I suspect that's not the case for the above poster. Security envy, perhaps?

Some very good points Boyalley. Posting some kind of "hacker proof" sticker on your website is an invite to any script kiddy with a decent line and a couple of applications that can be found on any website.

Ive dabbled in security work, i think ibouncer here has started a new company, and needs to work on his site for a bit. As for his experience, in my opinion, people without fancy paperwork often have more skills then the next guy who has a degree in IT security.

For obvious reasons..

I would like to have a chat with you if possible Boyalley, what are you currently diong for work ?

are you published anywhere on the internet?

we have several articles on security sites, and securityfocus and so on.

I believe those are brilliant and valid points made.

The main thing being - for your own sake, DONT POST ANYTHING that remotely looks like "impossible to hack" - any god damned hacker outthere would come running to prove you wrong.

Besides from that, I dont know about the legal aspects - I suppose having a security expert help evaluate the security of your servers/sites might be a good idea - and I´d suppose it wouldnt necessarily mean breaching security/laws etc - it could be like looking into the scripts used for exploitable holes, the security setup in general, the pswfiles location and protection etc etc etc...

Greetings:

Oh please. Get over yourself already. What on earth have you demonstrated to anyone that I should envy?

Well, no one has any idea WHAT experience he has. Mainly, because he's trying to do "security" work in the adult community, without anyone finding out that he's doing work in the adult community at all.

If he's so ashamed of the industry that he's trying to work in, that he won't even reveal his previous experience as part of a resume on his website, why in the hell should anyone in this industry hire him? Or trust him?

It's ridiculous.

This will be my last post about the subject. I think I have provided fair enough warning to the webmasters that read this forum. It's up to them to make the final decision.

I'm always available via aim TheBoyAlley and email [email protected]

I recently sold my last company to a NASDAQ traded tech firm, so I've been kind of taking it easy, and dabbling in various adult sites. I am a man without direction at the moment! Haha.