Yes. Appstack is totally the way to go if you're an app pen guy. Shocking.
Portscanning not too useful in a whitebox pen assessment, sure.
Don't do it at all because blackhats "don't do that"? Not really. Just make sure instrumentation and response exists for both of these cases.
Pen guys don't want to perform an assessment of the environment to gauge targets but instead just break out the same kit for each engage? Sounds fine if it works for them and leaves more things to discover to the next crew that wanders through.
Sounds like more "pentesting isn't compliance" drum beating, which is both good and bad.
If you're asking social engineering questions, you're already pretty well equipped for poker.
My picks in this realm were Hold'Em Poker for Advanced Players by David Sklansky and Mason Malmuth (which seems to be out of fashion now as it dictates a pretty tight game) and also Mike Caro's Poker Tells book is quite good about the most common types of tell behavior you will see at tables and tourneys. It's up to you to determine if they're real or if someone is putting on a show.
I hardly think "Hold'Em Poker for Advanced Players" is a good book suggestion for someone who says they are just starting out. Mason's books, while excellent for what they are, are far from appropriate for someone wanting to learn the game from the ground up.
That's because he makes all of his music money from touring. Almost all music acts can't do that because they don't have the exposure - pirating or not.
10 years ago touring was purely a means to promote record sales and there were maybe a dozen acts who made money doing it (Madonna, the Rolling Stones and the like). Now it's flipping and touring is profitable for a lot more acts than it used to be.
2) Aren't willing to set it up themselves, but trust a service provider to do it for them
I read their docs a bit ago and don't really get it. I didn't really get Whisper Systems offering either as it appeared to have a broken trust model on a variety of levels.
If I cared about this kind of thing, and I really don't, I'd likely want to own all parts of the transport system and have the only available threat surface be the encryption algorithm as much as possible
http://www.voip-info.org/wiki/view/Asterisk+encryption
He demonstrated a proof of concept, collected data, and went to journalists. Cherry picking irc logs for things for possible uses of the data is weak because they have a weak case.
Arguing about methods of responsible disclosure, a very dead horse that has been beaten to dust, seems like a waste of time and not really relevant.
This is just the endgame of the chilling effect of arresting and hounding researchers which has been going strong ever since 2001
http://news.cnet.com/2100-1001-270082.html
