Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Defending the honor of...penetration testing tools
From: Mohammad Hosein <mhtajik () gmail com>
Date: Wed, 13 Feb 2013 01:26:17 +0330

"they think if Metasploit for instance was never born,
there would have been less pwnage in the world."

list knows i never stop missing Christopher , so , without further ado i
want to put an assertion here . they say "arguably" their point is
logically valid . logic being we are a Hamiltonian closed system where the
total kinetic energy of offense is just equal to the sum of our mosdef
nodes . with a sober mind , one would even calculate how much a healthy
mosdef node can actually do harm in an assumed n-degree space system with
defined objects and specific values . to make the conversation
understandable for people of different native mother languages , i am not
going to ignore the philosophical platform where and when such engineering
is happening , it sounds silly first but you get used to it . therefore we
can simply save time and presume a smart one of these guys comes right
after each update of each tool , and assigns precisely how much of
potential damage ( in some metrics like Joule , Ton , Watt ) just added to
the system . we are told by many people in many centuries written on many
books that evil thoughts make harm or eventually result in harm therefore
the thoughts themselves even if they dont get implemented into a mosdef - a
potential harm -  in Delta t , still , add to the total kinetic energy of
offense and whether the thoughts or the resulting mosdefs are rotating or
angular because they finally move , by that , i mean dave's business .

still ignoring the philosophic platform , which is "the" issue and still ,
ironically enough , we can argue our way out . How ? even within the
constraint of the conversation in terms and agreements , their idea is
Stupid ( offense intended ) . they got to make the system either absolute
zero evil thought , or there must be good mosdefs AND evil mosdefs . or
maybe they are Ok with Classic mechanics with a finger up Newton's butt ass
the forth rule ?

i suggest no addition of advanced math and physics , any kind of societal
dialog or even honor the conversation more than what it is , by adding
variety of philosophic thoughts giving insane complex angels to the topic .
that actually might be evil itself considering you are spending electrics
based on offshore oil and nuclear reactors with hazard waste that ages more
than us ;)

@ Dave : any PR is still PR . see how smooth i turned meterpreter into
mosdef ? paypal me what you honestly think the work deserve and consider i
am not legal to work in U.S or be dealt with from within U.S :>
wasnt it more fun if you got yourself a spot to talk about the RSA's
bullshit story with the Iranian Cyber Police , their "talk" , and finally
entertaining restrictions on that organization as a whole due to its
involvement in aggregating monster SYN floods to Citibank ? :D


M.



On Tue, Feb 12, 2013 at 9:48 PM, antisnatchor <antisnatchor () gmail com>wrote:

The problem IMHO is lots of people out there still believe in security by
obscurity.
Translated for this specific case, they think if Metasploit for instance
was never born,
there would have been less pwnage in the world.

There are too many examples this statement is obviously wrong.

Many times the only way to "wake up" sleeping vendors, lazy with patching,
is exactly
creating a tool that automates attacks and pwnage.

You can't imagine how many attacks in BeEF are not working anymore (sigh)
because
vendors silently patched the bug after we wrote or ported an exploit to
BeEF.

Cheers
antisnatchor

------------------------------

 Dave Aitel <dave () immunityinc com>
February 12, 2013 5:50 PM

So as you can see below, I'll be at RSA asking Andrew Jaquith why on earth
he thinks penetration testing tools are evil. To be honest, I have no idea.
Does that also imply penetration testing is evil, or is he saying that
penetration testing tools make people lazy and therefor you get better
penetration tests without them, in which case I'll try to get him to write
his future papers without a keyboard or something.

Speaking of penetration testing tools - Immunity is hiring CANVAS
developers here in Miami Beach. If you want to work on CANVAS and you speak
both assembly language and Python and have a passion for building awesome
tools that let people break into systems (some of which we make public!),
then send me an email.

We're also hiring an experienced Django web developer.

You do also have to be legal to work here in Miami or Washington DC for
these positions.

-dave



https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=3297&tclass=popup#.URp4m2gUwM0.twitter

 MASH-T16 - Debate: Internet GUN CONTROL - Are Pentesting Tools Good or
Evil?

Moderator(s):
Pete Lindstrom - Principal, Spire Security 
<https://ae.rsaconference.com/US13/connect/speakerDetail.ww?PERSON_ID=430145EACD4EBC80B7251A1E5A519F1E&tclass=popup>

Panelist(s):
Dave Aitel - Chief Executive Officer, Immunity, Inc. 
<https://ae.rsaconference.com/US13/connect/speakerDetail.ww?PERSON_ID=66B255D131FD603BCBE896DDEB1F0617&tclass=popup>
Andrew Jaquith - Chief Technology Officer, Perimeter E-Security 
<https://ae.rsaconference.com/US13/connect/speakerDetail.ww?PERSON_ID=7A07665968A7B2320DCA9BF860462864&tclass=popup>

From SATAN in the 90's to Metasploit today, penetration testing tools have
been common in the arsenal of information security professionals. These
tools allow any user to assess the vulnerable state of their IT platforms.
Some say that they are useful while others assert they are detrimental for
the overall health of the Internet. Come hear the debate and weigh in with
your own opinions.

--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]