lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 2 Jan 2008 13:31:46 -0600
From: reepex <reepex@...il.com>
To: "Andre Gironda" <andreg@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -
	Exposed] QuietMove ( D - )

everyone who is not a kiddie knows rsnake is a joke, just like anyone else
involved in his *.ackers group.   If rsnake was to post to places like this
instead of lamer 'hacker'/'security' magazines then he would be ridiculed
off the list like pdp architect was.  Instead I believe rsnake knows hes a
kiddie so he sticks to places with non-technical people and does not involve
himself with people who actually know what they are talking about.

I picked on  Adam Munter mostly because his lame intern decided to spout up
on the list only to end up being a kiddie, and also Adam brought it upon
himself by putting any worth into what secreview says and replying to their
review.


On Jan 2, 2008 12:02 AM, Andre Gironda <andreg@...il.com> wrote:

> On Jan 1, 2008 9:51 PM, reepex <reepex@...il.com> wrote:
> > ok so they are nothing alike because ptp/hts actually teach you stuff
> while
> > "UPT" was for jokes... so your post was stupid
>
> The joke's on you since you don't have the context.
>
> > I am not a part of secreview but I realize following email threads is
> very
> > complicated for you.
>
> It's not complicated.  I simply just don't care about who you are as
> it relates to the thread.  You appear to be attacking the
> person/people I'm defending, while at the same time defending the
> secreview post.
>
> > So you list 5 tools they use then mention they modify a javascript
> > library...  So basically they use automated tools and  are former  web
> > developers ... sound pretty hardcore
>
> Javascript is more than just a language for web developers, especially
> when utilized in the Hailstorm SmartAttack library, which isn't a
> Javascript library.  These are completely different concepts.  It
> should also be noted that both Burp Suite and Hailstorm ARC can be
> used in manual and hybrid modes... with step-modes and form-trainers.
> They can modify their traversals and have tons of extra customization
> on top of what other offerings provide... and can customize the
> underlying "data-driven" attacks.
>
> Certainly you've read some of Adam Muntner's comments on, say,
> ha.ckers.org and other places?
>
> Allow me to pick on someone in the industry for a second: RSnake.
>
> RSnake has an advertisement up on his website that asks, "Which web
> application scanner can hack it?" "Check the Oct 15 post for study
> results:"
>
> http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/
>
> Most idiots will only read what RSnake / Larry Suto have written, and
> will completely miss the comments by Adam Muntner.  Adam not only
> eloquently puts down the testing techniques by Larry Suto, but also
> makes mention about proper customization of tools and testing outside
> of the commercial scanners.
>
> Effectively, Adam Muntner is one of the only people that does
> understand this problem that you specifically says that he does not,
> and that the secreview challenge seems to care about most of all other
> points.
>
> Where was reepex, where was secreview when RSnake and Larry Suto
> blundered our industry into submission?  Why pick on a hero like Adam
> Muntner instead?  What are you getting out of it?
>
> Worse - RSnake hasn't been called out on this yet - but he has good
> reason to promote Larry's paper.  In fact, it may even be a monetary
> reason.  In an article for INSECURE Magazine, they interview RSnake
> (page 30):
> http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf
>
> Question; What web application scanners do you use?
>
> RSnake: [...] my favorite tools in my arsenal (including the manual
> ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,
> NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
> half dozen Firefox plugins like Webdeveloper, JSView, NoScript,
> Greasemonkey etc... and the entire suite of unix utils out there, like
> wget, telnet, ncftp, etc.
>
> Notice the only commercial tool listed in NTOSpider.  Coincidence?
>
> Apparently, too much admiration of a single web application security
> scanning vendor can be a bad thing.  Larry Suto has only ever worked
> with Eric Caso at NTObjectives.
>
> Adam Muntner has been a customer of several CWE-Compatible and
> aspiring companies out there.  He has a balanced view of both the
> commercial tools and the open-source world, as well as building his
> own tools from scratch as the need may be.
>
> > You must be a cissp because you take yourself and the internet very
> > seriously. I am pretty sure no one cares about your opinion either.
>
> Wrong again; as always.
>
> Cheers,
> Andre
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists