#1 Lack of honesty. Seriously, they promised releasing those crypto challenges publicly 2 years ago (Blackhat 11: Crypto for Pentesters) and never done so: https://twitter.com/matasano/status/101714851633700864. And now they're using them as a recruiting tool.
#2 Lack of humility: Matasano guys seem to disregard common tools like Burp scanner or Sqlmap. It's fine to cherry-pick tools to suite your needs; but if you choose to disregard them completely just because you feel they're associated with "Security Rookies" then you're more than likely to miss something, consequently disservice your client (they expect you, as a consultant, to find the most vulnerabilities regardless of tools used). Matasano may have better fuzzer/scanner, but since they don't publicly release them, I found that going around and bashing other security tools to position themselves higher than their competitors is a sign of arrogance.
Go work for other companies, I don't want you HN people turn out to be like them!
For those of you who emailed sean at matasano dot com but haven't received any response, go play with Trustwave crypto challeges: https://github.com/SpiderLabs/CryptOMG - And yes they don't have BS subscription model.
If you want to run scanners all day, we're definitely not a great place to work.
We changed the format for the crypto challenges because:
* the "vulnerable" web app got in the way of what we were trying to teach people (it's easy to work CTR mode into "decrypt this cookie" but not so easy to work Diffie Hellman into that)
* the web parts got repetitive (there's only so many times you can show people "decrypt this cookie" before the "cookie" part of that gets in the way).
* some of the challenges involve implementing crypto constructions (which we found to be the best way to learn how to break them). We had features in 36 Chambers that tried to capture "building" as well as "breaking", but they were extremely clumsy and contrived.
* But mostly, because we'd rather put effort into tech supporting people learning crypto, as opposed to Ruby code running on Heroku.
Sean's crypto stuff has about 2.5x as much material as the 36Chambers crypto-for-pentesters site had, and that's mostly because we stopped wasting our time making it look pretty. The site was a silly way to spend our time. We'll have RC4 keystream bias challenges by the end of next week. If we were going to work them into a shiny web app, we might not have them by the end of the year.
If the pricing model we use for the challenges ("mail Sean and ask for them and he'll give them to you for free") is too much for you, I don't know what to tell you. Yes, making it to the end does incur the penalty of us begging you to come work with us. But if you're unwilling to surrender to a life of indentured servitude in the pentest mines at Matasano, we will happily accept a warrant on the blood of your firstborn child. That is, I think you'll agree, a tiny price to pay.
I guess thanks for giving me a chance to clear up this issue, which, if you follow me on Twitter, has maybe had you confused for awhile (at least until last November or so when we started telling people every damn week to mail Sean for the challenges).
>"Sean's crypto stuff has about 2.5x as much material as the 36Chambers crypto-for-pentesters site had..."
This site never existed, at least according to Matasano's offical website or Twitter account.
>"If the pricing model we use for the challenges ("mail Sean and ask for them and he'll give them to you for free") is too much for you, I don't know what to tell you"
You are deviating from the fact that you promised to give sth away at a national conference, then completely ignored it until s.b obviously pointed it out. What happened between BH-11 to last November - when you started telling everyone to send email to Sean?
Maybe if you keep reframing your questions you'll manage to weave your way past my original evasive answer of "we decided not to do it that way" to the truth of "we grind up the bones of the victims of our free crypto challenges into a fine meal we use to fertilize the fungus patches we rely on for sustenance down in the pentest mines".
Please don't presume to speak for me. I left Matasano because I was returning to school; I greatly enjoyed my time there and I keep in touch with everyone I worked with because they are a group of intelligent, kind, and all around awesome people.
Also, I wholeheartedly endorse Tom's responses to your insinuations.
Cody, you're dealing with a coward that created an anon throw-away
account just to troll with offensive remarks. I'm actually surprised
how restrained Thomas has been with this jerk.
It's not the anon that I care about, it's that someone is being an asshole in public to people I consider to be friends, and using my (and nbpoole's) name to do it. I'm not fond of that.
You guys are all great; honestly, though, I think we're the only ones reading this part of the thread, and I was owed some kind of karmic retribution for turning Cody's post into a Matasano hiring thread.
I'm surprised none of you think I'm devious enough to have planted that anonymous commenter, though. "What, you're saying you test ALL the form inputs? What are you, some kind of atomic superman?"
So, I'm ex-Matasano and now work for Accuvant LABS (a competitor). While I'd love to snag awesome people to join up on my side, I completely disagree here. Matasano is a great company and they do do good work. #1 they should remedy for sure, but #2 I disagree with -- they hold the same opinion I've found in other high-end consulting shops, just more vocally.
"I wish Burp didn't have a Scanner. I might pay $25 more for a branded version of Burp that specifically didn't have that feature, so I could reassure clients I wasn't ever using it."
Tell me, how do you expect to find MOST instances of SQL Injection or XSS without using tools? Do you manually tamper with every cookie parameters? Unless Matasano has better tools and release them publicly, then I am interested in hearing about them.
My gosh. Actually understand every cookie parameter, instead of running some tool to generate a list of obvious SQL injection vulnerabilities? Next they'll say they actually base64-decode every cookie too. How do they find time to sleep?
We automate lots of things. We just don't automate things that remove judgement from testers.
I've been a vuln researcher since 1995 and so have my partners. I was a lead dev on the industry's second commercial vulnerability scanner (Ballista), and Jeremy worked at ISS on the first. I think we know what we're talking about. Here is what we've learned: when you give a smart tester a tool that purports to find "low hanging fruit" vulnerability X, testers get worse at finding vulnerability X on their own. They subconsciously lean on the tool. They make assumptions about what kind of vulnerability the tool will find that they shouldn't waste time looking for. They gradually start getting worse at finding even the clever variations of X.
So the challenge is to find ways to eliminate drudgery (for instance, in comparing large numbers of responses from a web app to a run of different metacharacter input vectors across every parameter) without introducing things that degrade tester judgement.
Burp Intruder: Fine (though we do better internally for some things). Burp Scanner: Not Fine.
#1 Lack of honesty. Seriously, they promised releasing those crypto challenges publicly 2 years ago (Blackhat 11: Crypto for Pentesters) and never done so: https://twitter.com/matasano/status/101714851633700864. And now they're using them as a recruiting tool.
#2 Lack of humility: Matasano guys seem to disregard common tools like Burp scanner or Sqlmap. It's fine to cherry-pick tools to suite your needs; but if you choose to disregard them completely just because you feel they're associated with "Security Rookies" then you're more than likely to miss something, consequently disservice your client (they expect you, as a consultant, to find the most vulnerabilities regardless of tools used). Matasano may have better fuzzer/scanner, but since they don't publicly release them, I found that going around and bashing other security tools to position themselves higher than their competitors is a sign of arrogance.
Go work for other companies, I don't want you HN people turn out to be like them!
For those of you who emailed sean at matasano dot com but haven't received any response, go play with Trustwave crypto challeges: https://github.com/SpiderLabs/CryptOMG - And yes they don't have BS subscription model.