Educause Security Discussion mailing list archives

Re: Penetration Testing vs the academic world

From: Morrow Long <morrow.long () YALE EDU>
Date: Thu, 12 Jan 2012 17:20:53 -0500

leandroqm () gmail com wrote:

Thank you for your reply.

If you find yourself qualified to answer the question, please go ahead.

What I intend to do is to find out what topics are subject to further

development by the academia so I can contribute in my thesis.

If anyone can help me enlighten that path, please do.

Leandro Quibem Magnabosco.
leandroqm () gmail com


Regarding enlightenment, Im not certain if I can illuminate the middle
path for you but I may be able to show you the way.

To attain enlightenment the Buddha says one must obliterate the self (note
also: all of life is suffering, suffering comes from desire and the only way
to escape suffering is to get rid of desire).   At any rate I read Zen and
the Art of Software Maintenance once.

I recommending talk to faculty in the computer science departments at major
universities.

But, as a practitioner, here is some fertile ground for Masters Thesis
research papers in the area of computer and network penetration testing (AKA
extreme vulnerability testing):

·         Building automated tools for maximum or complete test coverage.

·         Proving the effectiveness of formal network penetration testing
methodologies and frameworks.

·         Analysis on how attackers attempt to break into computers (using
honeypots or honeynets) in order to model their behavior using penetration
testing.

·         Proving or dispelling the practice/control/myth of password
controls (quality, aging, etc.).  Our faculty users are always asking us for
peer-reviewed academic research papers showing us why they should have to
change their password (every year).  Unfortunately the best known recent
paper on this topic by Microsoft researcher Cormac Herley and Paul C. van
Oorschot (Carleton University, Ottawa, Canada) unfortunately tends to prove
the opposite (that the cost and effort of password quality and aging often
apparently arent worth it).  I need someone to write a paper to prove that
they are worth it  so will you go ahead and write it?   [Just kidding..]
http://research.microsoft.com/apps/pubs/?id=154077
http://research.microsoft.com/pubs/154077/Persistence-authorcopy.pdf
(Preprint)

·         I think another great research topic is on social engineering via
social networks for penetration testing.  Just for fun here is what I was
able to find out what public information was on the Internet about you from
some quick research / recon :

o   Google+ page : https://plus.google.com/104286409358585115635/about

§  There are 249 peoples photos and names listed in your Google+ circles.
You may want to tighten this down.

§  There are another 244 peoples photos and names in which you are listed
in their Google+ circles.

o   Google Buzz: https://profiles.google.com/104286409358585115635/buzz  -
mostly links to a number of YouTube and other videos

o   Picasa web album:
https://plus.google.com/photos/104286409358585115635/albums?banner=pwa
- almost no photos

o   YouTube Channel:           http://www.youtube.com/user/leandroqm

§  Youve uploaded 39 videos (they appear to be videos of your family) and
listed 261 videos as your favorite.

o   Facebook:           http://www.facebook.com/leandroqm

§  You were born on June 27, 1982. Come from Joaçaba
<http://www.facebook.com/pages/Joa%C3%A7aba/111452215538605>  in Brazil.
Live currently in Florianópolis, Santa Catarina
<http://www.facebook.com/pages/Florian%C3%B3polis-Santa-Catarina/10633923273
4991> , Brazil. You went to high school at the
<http://www.facebook.com/pages/Col%C3%A9gio-Cora%C3%A7%C3%A3o-de-Jesus/10212
8923162345> Colégio Coração de Jesus.  You like bicycling.

§  In music you like : Disturbed, Mudvayne, Phanatic, David Guetta and
deadmau5.

§  In movies you like anime and sci fi.  There is a list of movies and books
(including some info security books).

§  You know Brazilian (Portuguese), Spanish, Japanese, English.

§  You appear to be identifying yourself as an atheist (but you are fairly
young yet and that could change).

o   Twitter:                http://twitter.com/leandroqm

§  You want to graduate with a Ph.D. and become a full-time pen tester and
web apps security researcher.

§  You were asking about persistent threats as a research topic for a paper
back in November.

o   About.me:          http://about.me/leandroqm

o   Foursquare:       https://foursquare.com/leandroqm

§  You ate at an Outback Steakhouse in Curitiba, PR and had an excellent
house salad and thought the waitress Angel was an angel.

o   LinkedIn:
http://www.linkedin.com/pub/leandro-magnabosco/15/54b/90a  (244 connections)

§  You are a Masters student in Computer Science at Universidade Federal de
Santa Catarina (ufsc.br) which you entered in 2011 and from which you hope
to graduate in 2014

§  Previously you attended :

·         Senai - Centro de Tecnologia em Automação e Informática

·         Universidade do Sul de Santa Catarina  (undergraduate?)

§  Youve worked as a consultant in the past for TIForte (2010/6  2011/10)
and FCDL/SC (2009/6  2010/3).

§  

Morrow

Attachment: smime.p7s
Description:

Current thread:

Penetration Testing vs the academic world Leandro Quibem Magnabosco (Jan 12)
- Re: Penetration Testing vs the academic world Valdis Kletnieks (Jan 12)
  - Re: Penetration Testing vs the academic world Leandro Quibem Magnabosco (Jan 12)
    - Re: Penetration Testing vs the academic world Valdis Kletnieks (Jan 12)
    - Re: Penetration Testing vs the academic world Morrow Long (Jan 12)
    - Re: Penetration Testing vs the academic world Leandro Quibem Magnabosco (Jan 13)