[Techtalk] Re: Gender as a weapon? Pen-testing and female auditors

Thu Mar 18 04:27:41 EST 2004

Heya --

Quoth Patricia Fraser (Tue, Mar 16, 2004 at 02:06:44AM +1100):
> > 	I normally solve this problem by staying mostly on the tech side
> > of the house and letting others do the social engineering.  I'm a
> > rotten liar anyway.  But the few times that I have even dipped my
> > toes in, it's been shockingly effective.  But ew.  Slimy.
> 
> I'd be thinking of myself as person first, female second, and deciding 
> what *I* wanted to do. You get to choose - just like it ought to be. 
> That's not always easy; that's the price you pay for having the choice.

	[nods]  Yeah -- the split, really, is that what is good for me
(not having to do something I consider distasteful) is not necessarily
what is good for my team (being the most effective pen-testers
possible).  So sometimes, just like I'll go to a meeting that I know is
going to be deadly dull, I'll do what's best for the team rather than
what makes me personally happy.  But ick.
 
> Social engineering *is* effective, and I think it's even more effective 
> when the engineeree is being worked on via their prejudgement that 
> "women don't do bad things, so I'm safe". Never mind that for a minute: 
> what's your answer to "But Raven doesn't do bad things"? 

	It appears to be "I will do it if employed in a professional
capacity to do so and it doesn't cause me undue guilt".  But I feel bad
taking advantage of people that trust me, even if I am being expressly
paid to do so, and even if they have no earthly reason to trust me.  It
also depends greatly on the client.  I don't feel bad at all trying to
social engineer a password or two out of a sysadmin or security geek at
$RandomFederalAgency, when hired to do so.  They are being paid to be
vigilant... it *is* part of their job to notice and stop things like
that.  However, I do feel bad trying the same things at
$JaneRandomSmallISP, since their threat model is so much less.  It's
particularly bad when I know that if I succeed, that the person will get
fired.  So I'm a lot more comfortable just exploiting their computer
systems for pay.  At least that comes off to management as "you missed a
patch" or "we can improve our firewalls" rather than "your employee is
stupid and gave away the farm".

Cheers,
Raven
 
"See what happens when you treat women like pieces of meat?
 Kapow, your network's broken, and you're fired!"
  -- RavenBlack, on using gender as a weapon during pen-testing