Steven Branigan has a great blog post about how to pick a pen tester. Branigan's point is that the trustworthiness of the pen testing team should be the number one criteria. I agree, I applaud his post and it prodded me to follow up with this post about something that's been bugging me for the last few years.

I'm amazed at some of the highly regarded people in the information security arena who have publicly bragged about exploiting systems that they clearly did not have permission to exploit. They usually consider these exploits to be harmless pranks on systems of little import, but even the least important systems (kiosks seems to be a popular target) are still maintained by someone in IT somewhere and when those systems are compromised, they still have to pulled, re-imaged and redeployed, this takes time and costs money and there's an opportunity cost and these costs are passed along to the consumers.

As info sec professionals it is our job to defend information systems. During the course of our work, we learn how systems can be compromised. We have a responsibility to use that knowledge for good. If we take that knowledge and use it for pranks or to show off, then we become the very thing we are fighting against. We become a house divided.

It has been said many times before that the difference between a white hat and a black hat is permission. If you don't have permission and you're going around messing with vulnerable systems so that you can brag to your friends about it, then you've crossed the line and it gives a bad name to the entire industry. If you wanna play 733t hax0r and break into things, then you don't belong in the ranks of information security professionals.

All of this is not to say there is not a need for legit vulnerability research, but there is a difference between original research to discover new vulnerabilities, or even non-original research in a controlled environment where you are working with permission to learn a new exploit and the types of "bob stories" I'm referring to above. I'll even grant that there are some "bob stories" that demonstrate a vulnerability without going so far as to exploit the system in question and I have no issue with that. But if your "bob story" involves exploitation without permission, do yourself a favor and keep it to yourself, or better yet, think twice and exercise a little self-control, a little professional ethics and don't cross the line no matter how harmless you think your actions may be.

I'll get off my soap box now.