Full Disclosure mailing list archives
Re: WTF eEye Really?
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Tue, 04 May 2010 13:37:05 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For an interesting take on this see page xxxix in Ross Anderson's "Security Engineering" (the Legal Notice). Apparently the debate over whether or not to publish tools/techniques that could be used for evil (specifically with respects to crypto) dates back to 1641. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 05/04/2010 01:32 PM, Marsh Ray wrote:
On 5/3/2010 7:44 PM, Sec News wrote:Did anyone else see this? http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands """ Penetration Tools Can Be Weapons in the Wrong Hands Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security, Vulnerability Management After a lifetime in the vulnerability assessment field, I’ve come to look at penetration testing almost as a kind of crime, or at least a misdemeanor.Is this for real?We enjoy freedom of speech, even if it breaks the law or license agreements.No, there are laws and contracts that can restrict speech.Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices.Since when did devices have an EULA? I haven't bought an Apple in modern times, do they make you sign something before buying it?Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.It took you a lifetime in the vulnerability assessment field to figure this out?Making these tools readily available is like encouraging people to play with fireworks. Too bold of a statement? I think not. Fireworks can make a spectacular show, but they can also be abused and cause serious damage. In most states, only people licensed and trained are permitted to set off fireworks.Fireworks are macroscopic physical objects the transportation which can reasonably be regulated.Now consider a pen test tool. In its open form, on the Internet, everyone and anyone can use it to test their systems, but in the wrong hands, for free, it can be used to break into systems and cause disruption, steal information, or cause even more permanent types of harm.Yep. Your mistake is assuming that there is some jurisdiction of law that encompasses the Internet. Indeed, it appears that often the adversary is a state entity itself. Those who accept this argument that testing tools should be somehow restricted are only tying their own hands. You can bet that your adversary will not feel so restricted (if you have anything actually worth protecting that is.) It is even more foolish to assume that your adversary doesn't already have it.How many people remember the 80’s TV show Max Headroom?I stop reading now. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkvgW0EACgkQkSlsbLsN1gBw8QcAra1aONNBorzhlwi4kNoRlw9G rm5FlvMw3Sv7m9tzqrqGIn9lIho/somrbl4jQ8T/woJK+gS4gccS4UqV1XkvW9aR W7ROz2eTezsUgTwyHU3tW9VuwsinFvO5n6XowCFG1pAO/O/7y+eN1usYYdz3W9Wm ORtmxcRNyb/cYmSMuTq+3dktOG7s+XWA47FaGkfdjzTefA7dGYyUx/zysCnFKLbX eLVA7GL79KSr6SB37uOi4vgyN0hze/p1vMw9POTo0Bhq4nT1Y1/5oyYhd29+aH9M h3fQ/V96SFCAy1Cqq9U= =oDqa -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WTF eEye Really? Sec News (May 04)
- Re: WTF eEye Really? Christian Sciberras (May 04)
- Re: WTF eEye Really? Marsh Ray (May 04)
- Re: WTF eEye Really? Justin C. Klein Keane (May 04)
- Re: WTF eEye Really? Marsh Ray (May 04)
- Re: WTF eEye Really? Justin C. Klein Keane (May 04)
- Re: WTF eEye Really? Georgi Guninski (May 04)
- Re: WTF eEye Really? Michal Zalewski (May 04)
- Re: WTF eEye Really? Mike Hale (May 04)
- Re: WTF eEye Really? Sébastien Duquette (May 05)
- Re: WTF eEye Really? J Roger (May 05)
- Re: WTF eEye Really? Sébastien Duquette (May 05)