PaulDotCom mailing list archives
Re: Wake up call for friends and family using SET
From: Craig Freyman <craigfreyman () gmail com>
Date: Wed, 1 Dec 2010 15:09:05 -0700
Let me clarify my point of view. I have done this when my family members are on the couch next to me, on my own network, with their permission. Obviously doing such without permission is not advised across public networks. I also disagree that these types of demonstrations don't work. In my experience, they can be effective in raising awareness. Like any speech, or conference etc.... if you make an impression, people will remember things. Or, in this case, they might begin to consider not clicking a link or opening a file. On Wed, Dec 1, 2010 at 1:58 AM, Kenneth Voort <listbounce-01 () voort ca>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The ends cannot justify the means. I would advise against doing anything of this sort, for three reasons: 1. It is unprofessional, unethical, and illegal in nearly every country with a computer law. It is unequivocally banned by any professional organization worth mentioning. An act like this would (to me) be an egregious violation of familial trust and privacy as well. My friends and family know I can break their shit; they trust me not to predominantly because I never have. I can pick most common household deadbolts as well; I however do not demonstrate how easily most common household deadbolts can be picked by breaking into the homes of my family. I ask permission first. 2. It will make no difference. Sure, your family will understand that "you hacked them", but that's about it. I would fathom that the vast majority would understand neither the attack vector used nor any way to prevent a future recurrence. Most people would understand this about as well as they understand why a potato in a tailpipe will stop a car from starting. The passing of little jokes and recipes and pictures and whatnot through email is driven by social factors, and can by extension only be solved with social methods. Many will not only never trust you near a computer again, they will completely ignore you, as they do not have the technical expertise to connect your attack to chain emails and phishing attacks. 3. You may well do permanent damage. Consider that your attack model is predicated on known behaviours of computer systems, and then consider that many machines' logic may already be altered (by malware or otherwise), meaning that your targets' reactions will be undefinable. You may simply end up bluescreening a bunch of boxes, or possibly render some of them unbootable (yes, it has happened). It would be reckless and adversarial to carry this out where you cannot reliably predict the results, especially in light of your inexperience with the tools you intend to employ. For christ's sake, you don't even know that Meterpreter is memory resident only by default. You're playing with fire, and you may well get burned. This sort of unprofessional vigilante hacktivism is exactly why people like me get pulled aside at border crossings by a public that does not understand my profession. I utterly fail to understand why people think this is acceptable while breaking and entering is not. It is illegal, and with very good reason. Violating the privacy of those who trust you to make a point is unacceptable, whatever the reason and whatever the method. I strongly urge you to contemplate the legal, ethical, and possibly destructive (both to computers and friendships) implications of what you are considering. P.S. Your evil scheme may well fail entirely and serve only to both embarrass you and render your future soapbox lectures useless. That bears mentioning as well. On 10-11-30 8:27 PM, Brian Schultz wrote:I'm tired of explaining to my family the reasons for not opening e-mailsor attachments from unknownsources and then having them forward me some sketchy e-mail saying "thisis so funny, check it out".I'm sure there are plenty of you out there in the corporate world thatcan relate with your users.I figure it's time for me to arrange a wake up call and perform my ownpentest against friends andfamily. I figure it would be easy enough to use SET to create a"malicious" website that will changetheir wallpaper and blast an e-mail out to everyone. My only concernsare...how do I go aboutgetting Meterpreter off of their machine? The last thing I want to do isscrew up everyone's computer.Sorry if this comes across as a dumb question, I haven't played aroundwith SET or metasploitbefore. I'll probably figure this out as soon as I click send but itwould be nice to hear fromsomeone else or at least a point in the right direction. Thanks- -- Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email preferred -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkz2Dk0ACgkQFY4U1jfN6H8q2gCcDtucGQNnDaBUHjS8qHj0zCN/ 4u0AoIhWH/NW9g71w7ffh9p748VZvl4+ =dvA8 -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Wake up call for friends and family using SET Brian Schultz (Nov 30)
- Re: Wake up call for friends and family using SET amdinside (Nov 30)
- Re: Wake up call for friends and family using SET Craig Freyman (Nov 30)
- Re: Wake up call for friends and family using SET Kenneth Voort (Dec 01)
- Re: Wake up call for friends and family using SET Craig Freyman (Dec 01)
- Re: Wake up call for friends and family using SET Ryan Sears (Dec 01)
- Re: Wake up call for friends and family using SET Ron Gula (Dec 01)
- Re: Wake up call for friends and family using SET Brian Schultz (Dec 01)
- Re: Wake up call for friends and family using SET Daniel Holiday (Dec 01)
- Re: Wake up call for friends and family using SET Daniel Holiday (Dec 02)
- Re: Wake up call for friends and family using SET Zate Berg (Dec 02)
- Re: Wake up call for friends and family using SET Daniel Holiday (Dec 03)
- Re: Wake up call for friends and family using SET Zate Berg (Dec 03)
- Re: Wake up call for friends and family using SET Daniel Holiday (Dec 03)
- Re: Wake up call for friends and family using SET Michael Salmon (Dec 03)
- Re: Wake up call for friends and family using SET Daniel Holiday (Dec 02)