grumpy chris

@[email protected]
3 Followers
66 Following
33 Posts

pentester, eternal newb, lurker
definitely a generalist, not a specialist, pinko lefty

OSCP, OSWE, Crest, CRTO

Show threadgrumpy chrisSep 17, 2025
@dangoodin I’ve already seen this in the wild in the finance sector. Pentesting a small brokerage firm and they had every single ID they’d ever collected in a web accessible folder with no authentication. This is definitely going to be a problem we’ll seea lot of.
Show threadgrumpy chrisMar 24, 2025
Hey @masek, if they’ve complained to them and got no/unsatisfactory responses they should contact the office of the information commissioner: https://www.oaic.gov.au/
OAIC

We promote and uphold your rights to access government-held information and have your personal information protected

OAIC
grumpy chrisAug 28, 2024
nixCraft 🐧Aug 28, 2024
grumpy chrisJul 29, 2024
Mike ShewardJul 29, 2024

One of the most underrated aspects of pentesting is being a good pentest customer.

What does that mean?

- Remembering that pen testers want, and are being paid too, actually pen test. Make sure they can do this by having all the accounts and access they’ll need configured and tested a week or so before the start date. Waiting around for things is a waste of time and money.

- if you know you want the report in a specific format, asking for that before the pen test starts.

- being responsive to questions that come up during the test, especially around the context of your business/app - pentesters have a short window of time to learn the lay of the land and maximize their value. Help them help you.

#infosec

Show threadgrumpy chrisJun 5, 2024
@dangoodin I know of clients who have very good defences and robust blue teams who want ransomware style tests, including detection and backup recovery testing etc, but it’s very rare and the red team should be cleaning up their toys as soon as they’re used, for all sorts of reasons.
Show threadgrumpy chrisNov 21, 2023
@x30n @Blackwing That’s some awesome work. Nice! Hopefully the vendors take it onboard.
Show threadgrumpy chrisMar 11, 2023
@hailey Never ever trust the client browser. It's a filthy liar and will send you nasty things. Or more politely, what @maik and @kevinbowrin said.
Show threadgrumpy chrisJan 27, 2023
@triciakickssaas Totally agree with this. I was working a fun, well paid team member gig as a pentester in a big4. Repeatedly told my bosses I didn’t want a promotion. I’ve managed people, not my idea of a good time. When I quit shortly after they promoted me anyway, they acted all surprised and hurt.   Like I’d thrown this great favour they’d done for me back in their face.