Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: WTF eEye Really?
From: Marsh Ray <marsh () extendedsubset com>
Date: Tue, 04 May 2010 12:32:54 -0500


On 5/3/2010 7:44 PM, Sec News wrote:
Did anyone else see this?

http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands

"""
Penetration Tools Can Be Weapons in the Wrong Hands
Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
Vulnerability Management

After a lifetime in the vulnerability assessment field, I’ve come to look at
penetration testing almost as a kind of crime, or at least a misdemeanor.

Is this for real?

We enjoy freedom of speech, even if it breaks the law or license agreements.

No, there are laws and contracts that can restrict speech.

Websites cover techniques for jailbreaking iPhones even though it clearly
violates the EULA for Apples devices.

Since when did devices have an EULA? I haven't bought an Apple in modern
times, do they make you sign something before buying it?

Penetration tools clearly allow the
breaking and entering of systems to prove that vulnerabilities are real, but
clearly could be used maliciously to break the law.

It took you a lifetime in the vulnerability assessment field to figure
this out?

Making these tools readily available is like encouraging people to play with
fireworks. Too bold of a statement? I think not. Fireworks can make a
spectacular show, but they can also be abused and cause serious damage. In
most states, only people licensed and trained are permitted to set off
fireworks.

Fireworks are macroscopic physical objects the transportation which can
reasonably be regulated.

Now consider a pen test tool. In its open form, on the Internet, everyone
and anyone can use it to test their systems, but in the wrong hands, for
free, it can be used to break into systems and cause disruption, steal
information, or cause even more permanent types of harm.

Yep.

Your mistake is assuming that there is some jurisdiction of law that
encompasses the Internet. Indeed, it appears that often the adversary is
a state entity itself.

Those who accept this argument that testing tools should be somehow
restricted are only tying their own hands. You can bet that your
adversary will not feel so restricted (if you have anything actually
worth protecting that is.)

It is even more foolish to assume that your adversary doesn't already
have it.

How many people remember the 80’s TV show Max Headroom?

I stop reading now.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault