Comments on: ‘Security Consultant’ Caught for Running Large Botnet

By: James C

James C — Tue, 11 Mar 2008 20:18:14 +0000

@ Sir Henry
I use torture to do my background checks on staff I hire, probably the reason I don’t have any at the moment.

By: dirty

dirty — Mon, 10 Mar 2008 20:11:28 +0000

No, no one is required to sign anything unless they have certs like CISSP, etc.

It just paints a negative image for people in our field

By: J. Lion

J. Lion — Thu, 06 Mar 2008 15:58:33 +0000

Does all security consultant need to sign an official document saying that I will do ethical stuff only before working as a security consultant?

What’s to stop a security consultant from saying “Pay me Protection Money or else…”?

By: Sir Henry

Sir Henry — Fri, 14 Dec 2007 18:36:44 +0000

@CG:

I am in agreement with Dirty on this. Background checks are only as efficient as the technical abilities of the person performing them. In any environment, people will hire someone who has technical expertise unrivaled by anyone else in the environment. That leads to situations like this. Not sure what the solution is other than to beef up the technical knowledge of those hiring and those performing the background checks.

By: Goodpeople

Goodpeople — Mon, 19 Nov 2007 22:41:08 +0000

> On another note, I use this nick waaaaay too much. I dont have
> any others… I should go fix that some time.

which is why I started using Goodpeople..

By: Nobody_Holme

Nobody_Holme — Mon, 19 Nov 2007 19:45:54 +0000

Thats kind of a bad thing… because people would check and would find you have no history, and say “hm, he must be hiding something”

On another note, I use this nick waaaaay too much. I dont have any others… I should go fix that some time.

By: Goodpeople

Goodpeople — Sun, 18 Nov 2007 18:26:36 +0000

Checking people’s online behavior is a good place to start. But then again.. I use different nicknames on different sites. The name Goodpeople is only a few months old…

By: dirty

dirty — Fri, 16 Nov 2007 20:00:44 +0000

CG:
Background checks will only reveal if theyve been caught before. Even NSA’s and CIA’s checks and security clearances miss some people. Think of all the spies that are found out.

By: Nobody_Holme

Nobody_Holme — Fri, 16 Nov 2007 17:49:37 +0000

I have the dodgy philosophy of not having a problem if its yet another hole in a microsuck program, but getting pissed off if they do shit like this against open-source stuff. I do want them to get owned by a vuln they themselves sell at some point, mind…

By: CG

CG — Fri, 16 Nov 2007 05:28:13 +0000

i’m actually a supporter of 0day and full-disclosure (but not really a supporter of their business model). 0days keep sysadmins, network admins, security consultants, people that write exploits, security companies, AV, etc in business, busy, and getting paid. it also keeps the technoidiots in fear mode which is also good for the above.

Now, if i was actively writing 0day i might feel different but since i am in the “i wish people would release more exploits for these vulns” camp i like people releasing exploits but not necessarily selling them (that’s a whole other issue)