Full Disclosure mailing list archives
Re: WTF eEye Really?
From: J Roger <securityhocus () gmail com>
Date: Wed, 5 May 2010 11:27:36 -0700
And if the author is sincere and it was really his original intent, he should refrain from blogging from now on...
I have a feeling his employer will see to that for the foreseeable future. At least in a professional context representing them as a company. If he really meant it as everyone that read the original post seemed to take it, then he should have the balls to stand by what he said or admit he meant it at the time but was wrong and has since learned different. Either one of those options would be a mature way of handling the situation. Trying to spin it as "what I said isn't what I really meant. What I really meant is something so benign that no one could have a strong opinion about it and it was really pointless to even blog about." comes across as insincere. What do I know though, Mr. Haber is the one with the lifetime in the vulnerability assessment field. JRoger 2010/5/5 Sébastien Duquette <ekse.0x () gmail com>
Looks to me more like the "unqualified person doing testing" argument is used as an escape from their faux-pas. When you read the initial article, the author is clearly interested in the issue of crime being perpetrated by using these tools : "Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law." "There was tons of security around these systems and even possession of tools to penetrate a system was a crime too." In the new text, the author tells us that "what I hoped to convey was the importance of well-managed testing under the watch of a user who knows what they’re doing". This looks like a lame PR attempt at stopping the shitstorm they started by using the good old excuse this-is-not-what-I-meant. And if the author is sincere and it was really his original intent, he should refrain from blogging from now on... S. On Tue, May 4, 2010 at 11:48 AM, Mike Hale <eyeronic.design () gmail com> wrote:Looks like he rewrote it and clarified what he meant to say. I think this is a lesson on why you really should proofread stuff and ask someone else to go over your writings before you publish something. On Mon, May 3, 2010 at 5:44 PM, Sec News <secnewz () gmail com> wrote:Did anyone else see this?http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands""" Penetration Tools Can Be Weapons in the Wrong Hands Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security, Vulnerability Management After a lifetime in the vulnerability assessment field, I’ve come tolook atpenetration testing almost as a kind of crime, or at least amisdemeanor.We enjoy freedom of speech, even if it breaks the law or licenseagreements.Websites cover techniques for jailbreaking iPhones even though itclearlyviolates the EULA for Apples devices. Penetration tools clearly allowthebreaking and entering of systems to prove that vulnerabilities are real,butclearly could be used maliciously to break the law. Making these tools readily available is like encouraging people to playwithfireworks. Too bold of a statement? I think not. Fireworks can make a spectacular show, but they can also be abused and cause serious damage.Inmost states, only people licensed and trained are permitted to set off fireworks. Now consider a pen test tool. In its open form, on the Internet,everyoneand anyone can use it to test their systems, but in the wrong hands, for free, it can be used to break into systems and cause disruption, steal information, or cause even more permanent types of harm. How many people remember the 80’s TV show Max Headroom? Next to murder,themost severe crime was if users illegally used information technologysystemsto steal information or make money. There was tons of security aroundthesesystems and even possession of tools to penetrate a system was a crimetoo.So what’s the difference? Yes, it is just a TV show but in reality today we are in effect putting weapons in people’s hands, not tracking them, and allowing them to usethemnear anonymously to perform crimes or learn how to perform more sophisticated attacks. It all comes back to the first amendment andFreedomof Speech. I can write a blog of this nature, state my opinion about howIfeel about free penetration testing tools, and assure everyone that they need defenses to protect their systems, since free weapons are available that can break into your systems – easily. """ WOW - am i the only one to go WTF to this? Talk about alienating your customers and shitting where you eat. And to think i used to be a fan... - Some anonymous ex-eEye fan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WTF eEye Really? Sec News (May 04)
- Re: WTF eEye Really? Christian Sciberras (May 04)
- Re: WTF eEye Really? Marsh Ray (May 04)
- Re: WTF eEye Really? Justin C. Klein Keane (May 04)
- Re: WTF eEye Really? Marsh Ray (May 04)
- Re: WTF eEye Really? Justin C. Klein Keane (May 04)
- Re: WTF eEye Really? Georgi Guninski (May 04)
- Re: WTF eEye Really? Michal Zalewski (May 04)
- Re: WTF eEye Really? Mike Hale (May 04)
- Re: WTF eEye Really? Sébastien Duquette (May 05)
- Re: WTF eEye Really? J Roger (May 05)
- Re: WTF eEye Really? Sébastien Duquette (May 05)