Re: WTF eEye Really?

["Justin C. Klein Keane" <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For an interesting take on this see page xxxix in Ross Anderson's
"Security Engineering" (the Legal Notice).  Apparently the debate over
whether or not to publish tools/techniques that could be used for evil
(specifically with respects to crypto) dates back to 1641.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 05/04/2010 01:32 PM, Marsh Ray wrote:
> On 5/3/2010 7:44 PM, Sec News wrote:
> > Did anyone else see this?
> >
> > http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands
> >
> > """
> > Penetration Tools Can Be Weapons in the Wrong Hands
> > Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
> > Vulnerability Management
> >
> > After a lifetime in the vulnerability assessment field, I’ve come to look at
> > penetration testing almost as a kind of crime, or at least a misdemeanor.
>
> Is this for real?
>
> > We enjoy freedom of speech, even if it breaks the law or license agreements.
>
> No, there are laws and contracts that can restrict speech.
>
> > Websites cover techniques for jailbreaking iPhones even though it clearly
> > violates the EULA for Apples devices.
>
> Since when did devices have an EULA? I haven't bought an Apple in modern
> times, do they make you sign something before buying it?
>
> > Penetration tools clearly allow the
> > breaking and entering of systems to prove that vulnerabilities are real, but
> > clearly could be used maliciously to break the law.
>
> It took you a lifetime in the vulnerability assessment field to figure
> this out?
>
> > Making these tools readily available is like encouraging people to play with
> > fireworks. Too bold of a statement? I think not. Fireworks can make a
> > spectacular show, but they can also be abused and cause serious damage. In
> > most states, only people licensed and trained are permitted to set off
> > fireworks.
>
> Fireworks are macroscopic physical objects the transportation which can
> reasonably be regulated.
>
> > Now consider a pen test tool. In its open form, on the Internet, everyone
> > and anyone can use it to test their systems, but in the wrong hands, for
> > free, it can be used to break into systems and cause disruption, steal
> > information, or cause even more permanent types of harm.
>
> Yep.
>
> Your mistake is assuming that there is some jurisdiction of law that
> encompasses the Internet. Indeed, it appears that often the adversary is
> a state entity itself.
>
> Those who accept this argument that testing tools should be somehow
> restricted are only tying their own hands. You can bet that your
> adversary will not feel so restricted (if you have anything actually
> worth protecting that is.)
>
> It is even more foolish to assume that your adversary doesn't already
> have it.
>
> > How many people remember the 80’s TV show Max Headroom?
>
> I stop reading now.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvgW0EACgkQkSlsbLsN1gBw8QcAra1aONNBorzhlwi4kNoRlw9G
rm5FlvMw3Sv7m9tzqrqGIn9lIho/somrbl4jQ8T/woJK+gS4gccS4UqV1XkvW9aR
W7ROz2eTezsUgTwyHU3tW9VuwsinFvO5n6XowCFG1pAO/O/7y+eN1usYYdz3W9Wm
ORtmxcRNyb/cYmSMuTq+3dktOG7s+XWA47FaGkfdjzTefA7dGYyUx/zysCnFKLbX
eLVA7GL79KSr6SB37uOi4vgyN0hze/p1vMw9POTo0Bhq4nT1Y1/5oyYhd29+aH9M
h3fQ/V96SFCAy1Cqq9U=
=oDqa
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/