Full Disclosure mailing list archives
Re: [Professional IT Security Providers - Exposed] QuietMove ( D - )
From: reepex <reepex () gmail com>
Date: Wed, 2 Jan 2008 13:31:46 -0600
everyone who is not a kiddie knows rsnake is a joke, just like anyone else involved in his *.ackers group. If rsnake was to post to places like this instead of lamer 'hacker'/'security' magazines then he would be ridiculed off the list like pdp architect was. Instead I believe rsnake knows hes a kiddie so he sticks to places with non-technical people and does not involve himself with people who actually know what they are talking about. I picked on Adam Munter mostly because his lame intern decided to spout up on the list only to end up being a kiddie, and also Adam brought it upon himself by putting any worth into what secreview says and replying to their review. On Jan 2, 2008 12:02 AM, Andre Gironda <andreg () gmail com> wrote:
On Jan 1, 2008 9:51 PM, reepex <reepex () gmail com> wrote:ok so they are nothing alike because ptp/hts actually teach you stuffwhile"UPT" was for jokes... so your post was stupidThe joke's on you since you don't have the context.I am not a part of secreview but I realize following email threads isverycomplicated for you.It's not complicated. I simply just don't care about who you are as it relates to the thread. You appear to be attacking the person/people I'm defending, while at the same time defending the secreview post.So you list 5 tools they use then mention they modify a javascript library... So basically they use automated tools and are former web developers ... sound pretty hardcoreJavascript is more than just a language for web developers, especially when utilized in the Hailstorm SmartAttack library, which isn't a Javascript library. These are completely different concepts. It should also be noted that both Burp Suite and Hailstorm ARC can be used in manual and hybrid modes... with step-modes and form-trainers. They can modify their traversals and have tons of extra customization on top of what other offerings provide... and can customize the underlying "data-driven" attacks. Certainly you've read some of Adam Muntner's comments on, say, ha.ckers.org and other places? Allow me to pick on someone in the industry for a second: RSnake. RSnake has an advertisement up on his website that asks, "Which web application scanner can hack it?" "Check the Oct 15 post for study results:" http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/ Most idiots will only read what RSnake / Larry Suto have written, and will completely miss the comments by Adam Muntner. Adam not only eloquently puts down the testing techniques by Larry Suto, but also makes mention about proper customization of tools and testing outside of the commercial scanners. Effectively, Adam Muntner is one of the only people that does understand this problem that you specifically says that he does not, and that the secreview challenge seems to care about most of all other points. Where was reepex, where was secreview when RSnake and Larry Suto blundered our industry into submission? Why pick on a hero like Adam Muntner instead? What are you getting out of it? Worse - RSnake hasn't been called out on this yet - but he has good reason to promote Larry's paper. In fact, it may even be a monetary reason. In an article for INSECURE Magazine, they interview RSnake (page 30): http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf Question; What web application scanners do you use? RSnake: [...] my favorite tools in my arsenal (including the manual ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap, NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a half dozen Firefox plugins like Webdeveloper, JSView, NoScript, Greasemonkey etc... and the entire suite of unix utils out there, like wget, telnet, ncftp, etc. Notice the only commercial tool listed in NTOSpider. Coincidence? Apparently, too much admiration of a single web application security scanning vendor can be a bad thing. Larry Suto has only ever worked with Eric Caso at NTObjectives. Adam Muntner has been a customer of several CWE-Compatible and aspiring companies out there. He has a balanced view of both the commercial tools and the open-source world, as well as building his own tools from scratch as the need may be.You must be a cissp because you take yourself and the internet very seriously. I am pretty sure no one cares about your opinion either.Wrong again; as always. Cheers, Andre
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ), (continued)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) veda (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) Adam Muntner (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) SilentRunner (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) Andre Gironda (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 01)
- Message not available
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) coderman (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) Andre Gironda (Jan 02)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 02)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 01)
- Re: [Professional IT Security Providers - Exposed] QuietMove ( D - ) reepex (Jan 01)