pro hacker needed

[dnn2112]

Hello! This is a situation where, we have a client who needs an application tested against hacking. we need someone who would consider themself a superb hacker to test this application and see if there any "holes". If you find holes, we are willing to pay you. It is all in the testing phase, so this "hacking" work will not effect anything material, etc. I need help asap!

If interested, Please contact me at my email, dnn2112@hotmail.com

[MrLinus]

Uh... seriously, there has to be a better avenue than doing this to get help at testing software. You really don't know who you are dealing with here and we don't know who you are, particularly when you use a hotmail account. If you are serious about getting someone to properly test your software might I suggest talking with an auditing firm like KPMG, Deliotte-Touche and/or CGI.

I'm sure your client will be happier with a serious and reputable firm than just some "hacker".

Additionally, I suspect that few will be interested if you only pay if "holes" are found rather than paying them for the time they took to actually go through the testing.

[dnn2112]

yes, i am serious, and we are willing to pay for time, if you're any good. you may email me if you like, and i can give you a phone number to contact. the application in question has more to do with a VPN setup. encryption / email, etc...i don't even know the details, but i can put you in touch with someone who can.

maybe try and be a little less condemning and condescending to a well intended amatuer who is just asking for help.

[Tiger Shark]

I'm a "superb" hacker..... But there's a problem.... I have no idea and no inclination of how to crack your system.... See, I'm not a cracker.... I can tell you how to protect yourself and when my knowledge becomes insufficient I would tell you to go and find a professional service who specialize in penetration testing the type of service you intend making public.

The problem with people like you is that you think that computer security and "hacking" are both synonymous and a single discipline. They aren't. I can happily harden your Windows server, apply the appropriate firewall rules, manage and monitor your IDS and logging systems for any public content you care to provide. I can also run some fairly sophisticated tests against your system to determine if you have anything "odd" going on there within those paramaters..... OTOH, if you are making a PHP based BBS available to the public I can't help you... because it's not what I do. I don't know how to exploit the code and you can't afford to pay for my learning curve, (however short that might be).

Find the professional organizations, (preferably local to you who you can sit face to face with), and ask for their experience in dealing with the system you intend making public. Ask them for references and interview them all after having researched the potential exploits that are publicly available for your system so you have a clue as to "how" they get exploited. Then make your decision as to your service provider from there.... If they are reputable they will make you jump through a lot of legal and contractual hoops before they sign a contract with you......

Frankly, you show yourself as very unprofessional by going anywhere on the net and asking someone to pen-test you.....

[Edit]

Oh, and whatever Ms. M. says is gospel where I am concerned.....

"Well intended amateurs" are the reason for the majority of the insecure systems on the internet.... Please.... get a professional with a contract that your legal beagles find acceptable... This is not an issue where "good intentions" suffice"

[/Edit]

[MrLinus]

You do realize that I have no proof to the claim you are making, who you are or if you are truly legit? And there is a reason why I'm rather skeptical? Social engineering someone to attack or go after something that the person doesn't have, particularly when there is little to no information other than a hotmail account (which anyone can make) and there seems little professional details, does make one a bit skeptical. Particularly since you seem rather vague on details and it seems to be a friend of a friend kind of concept. Paranoia is a reality here because of scammers and wannabes.

You said application (which I took to be Web Application, as in portal, etc) but it sounds like it's a VPN/Email product. Do you have further details? Perhaps an actual RFP where people would know what kind of "hacker" you'd want? (Probably better to use Application Tester or Pen Tester than "hacker")

It's more of a protection for those users here. Additionally, on your part I'm sure you don't want to be scammed by some wannabe. How do you know that the person responding is in fact ethical enough and won't do more damage? Do you (or whoever the contact is) have a NDA? Have some type of CYA policy as to how far they can go? If this is running on a web server hosted by someone other than your "contact", do you have their permission to have it tested on their webserver?

I'm trying to be realistic as to what you want and whether it's legit for reasons of those before you.

If you are legit, perhaps a better worded request that details what is expected, what things will be paid for and what won't, what languages to be concerned about and what contracts will need to be signed might be beneficial to consider in the future.

Just a thought.

[edit]

As an added aside, if the question is cost I'd suggest perhaps the following:

Open Source Testing Tools -- any number of these tools might help if this is a web-based app.
Testing Applications on the Web -- book from Amazon that goes into how to test.

[dnn2112]

yes, i have an NDA. yes, I have details. no, I will not discuss them here. If you are interested in such, you may email me, as I have requested. Stop trying to win an argument that doesn't exist, and either email me if interested, or not. no big deal. i am not going to discuss all those specifics on a public forum. surely, you can understand that.

[;TT]

No, but you'll discuss them with a complete stranger who will e-mail you at a hotmail address? =\

[MrLinus]

Can you at least state what language in question one would be testing? It helps to narrow down for someone -- if they are serious -- whether they can be of benefit to you.

And I'm not trying to win an argument. I'm just trying to point out some of the issues we face. It's more a statement of fact than anything else. Certainly both parties take the risk but people need to be aware of what is out there (sometimes people online are far too trusting --- and perhaps some of us have become far too cynical and paranoid because of being burned one too many times. )

[Tiger Shark]

dnn2112 "The well intentioned amateur":

You should make that your new name...

I don't know you from Adam.... Yet you come here and entice me to potentially break the law against a system that you will not be able to _prove_ you own.

Ahhh yes, you are going to email or fax me that NDA from where? I don't know and I won't be able to properly verify.... But the NDA is rubbish.... What about my butt being covered... The NDA covers your butt not mine..... If you knew what you are doing you would also have a nice long list of things I can and can't do.... All scribbled down in pretty red crayon reminding me that I may not even "look" at any other address in the address block for example...

The point here is that you aren't getting it..... If you get anyone from here to "help you" you may end up in a courtroom with them for either:-

1. Not doing a _proper_ job, or...
2. Doing too good of a job.....

Computer security revolves around a very simple principle.. Trust!!!

Trust is a two way street.... You _have_ to trust me to report everything..... I _have_ to trust you not to be a pissy little bitch and take me to court if, after 3 months, someone else finds a hole in your system..... Guess what? I don't trust you because you asked such a dumb question for all to see in a public forum..... and your subsequent messages imply that you have no clue as to why it is wrong.... Ms. M. gave you good advice, my advice isn't too shoddy either... Take the advice or continue to demonstrate your ignorance....

That's not unfair....

[XTC46]

dnn2112
You are getting far too defensive; which makes it look even worse on your part. The advice given above is as much to protect you, as it is to protect us. How do you know that the "hacker" you hire can even help you? I could easily email you, toss a bunch of jargon around and trick you into thinking I know what I’m doing. I find one or two very well known holes and say the rest of your system is good to go. I cash your check and you go live with a system that was not tested properly. And that’s not the worst, in reality someone could help you, and then really patch your system and fix the flaws that are there, then install there own little back door so he can exploit you at a later time if he so chooses. You need to think about this type of thing before posting on a public message board. Anti-online houses some of the industries great minds, but it also is home to tons of wannabes, and guys who think they know what they are doing. Just be careful, and try not to take the advice, which is given by two of this communities most respected members, so personnel.