[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e9d9d4020801021131r3099aec7ve5c098aeadca3b30@mail.gmail.com>
Date: Wed, 2 Jan 2008 13:31:46 -0600
From: reepex <reepex@...il.com>
To: "Andre Gironda" <andreg@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -
Exposed] QuietMove ( D - )
everyone who is not a kiddie knows rsnake is a joke, just like anyone else
involved in his *.ackers group. If rsnake was to post to places like this
instead of lamer 'hacker'/'security' magazines then he would be ridiculed
off the list like pdp architect was. Instead I believe rsnake knows hes a
kiddie so he sticks to places with non-technical people and does not involve
himself with people who actually know what they are talking about.
I picked on Adam Munter mostly because his lame intern decided to spout up
on the list only to end up being a kiddie, and also Adam brought it upon
himself by putting any worth into what secreview says and replying to their
review.
On Jan 2, 2008 12:02 AM, Andre Gironda <andreg@...il.com> wrote:
> On Jan 1, 2008 9:51 PM, reepex <reepex@...il.com> wrote:
> > ok so they are nothing alike because ptp/hts actually teach you stuff
> while
> > "UPT" was for jokes... so your post was stupid
>
> The joke's on you since you don't have the context.
>
> > I am not a part of secreview but I realize following email threads is
> very
> > complicated for you.
>
> It's not complicated. I simply just don't care about who you are as
> it relates to the thread. You appear to be attacking the
> person/people I'm defending, while at the same time defending the
> secreview post.
>
> > So you list 5 tools they use then mention they modify a javascript
> > library... So basically they use automated tools and are former web
> > developers ... sound pretty hardcore
>
> Javascript is more than just a language for web developers, especially
> when utilized in the Hailstorm SmartAttack library, which isn't a
> Javascript library. These are completely different concepts. It
> should also be noted that both Burp Suite and Hailstorm ARC can be
> used in manual and hybrid modes... with step-modes and form-trainers.
> They can modify their traversals and have tons of extra customization
> on top of what other offerings provide... and can customize the
> underlying "data-driven" attacks.
>
> Certainly you've read some of Adam Muntner's comments on, say,
> ha.ckers.org and other places?
>
> Allow me to pick on someone in the industry for a second: RSnake.
>
> RSnake has an advertisement up on his website that asks, "Which web
> application scanner can hack it?" "Check the Oct 15 post for study
> results:"
>
> http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/
>
> Most idiots will only read what RSnake / Larry Suto have written, and
> will completely miss the comments by Adam Muntner. Adam not only
> eloquently puts down the testing techniques by Larry Suto, but also
> makes mention about proper customization of tools and testing outside
> of the commercial scanners.
>
> Effectively, Adam Muntner is one of the only people that does
> understand this problem that you specifically says that he does not,
> and that the secreview challenge seems to care about most of all other
> points.
>
> Where was reepex, where was secreview when RSnake and Larry Suto
> blundered our industry into submission? Why pick on a hero like Adam
> Muntner instead? What are you getting out of it?
>
> Worse - RSnake hasn't been called out on this yet - but he has good
> reason to promote Larry's paper. In fact, it may even be a monetary
> reason. In an article for INSECURE Magazine, they interview RSnake
> (page 30):
> http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf
>
> Question; What web application scanners do you use?
>
> RSnake: [...] my favorite tools in my arsenal (including the manual
> ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,
> NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
> half dozen Firefox plugins like Webdeveloper, JSView, NoScript,
> Greasemonkey etc... and the entire suite of unix utils out there, like
> wget, telnet, ncftp, etc.
>
> Notice the only commercial tool listed in NTOSpider. Coincidence?
>
> Apparently, too much admiration of a single web application security
> scanning vendor can be a bad thing. Larry Suto has only ever worked
> with Eric Caso at NTObjectives.
>
> Adam Muntner has been a customer of several CWE-Compatible and
> aspiring companies out there. He has a balanced view of both the
> commercial tools and the open-source world, as well as building his
> own tools from scratch as the need may be.
>
> > You must be a cissp because you take yourself and the internet very
> > seriously. I am pretty sure no one cares about your opinion either.
>
> Wrong again; as always.
>
> Cheers,
> Andre
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists