lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 May 2010 13:37:05 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: WTF eEye Really?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For an interesting take on this see page xxxix in Ross Anderson's
"Security Engineering" (the Legal Notice).  Apparently the debate over
whether or not to publish tools/techniques that could be used for evil
(specifically with respects to crypto) dates back to 1641.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 05/04/2010 01:32 PM, Marsh Ray wrote:
> 
> On 5/3/2010 7:44 PM, Sec News wrote:
>> Did anyone else see this?
>>
>> http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands
>>
>> """
>> Penetration Tools Can Be Weapons in the Wrong Hands
>> Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
>> Vulnerability Management
>>
>> After a lifetime in the vulnerability assessment field, I’ve come to look at
>> penetration testing almost as a kind of crime, or at least a misdemeanor.
> 
> Is this for real?
> 
>> We enjoy freedom of speech, even if it breaks the law or license agreements.
> 
> No, there are laws and contracts that can restrict speech.
> 
>> Websites cover techniques for jailbreaking iPhones even though it clearly
>> violates the EULA for Apples devices.
> 
> Since when did devices have an EULA? I haven't bought an Apple in modern
> times, do they make you sign something before buying it?
> 
>> Penetration tools clearly allow the
>> breaking and entering of systems to prove that vulnerabilities are real, but
>> clearly could be used maliciously to break the law.
> 
> It took you a lifetime in the vulnerability assessment field to figure
> this out?
> 
>> Making these tools readily available is like encouraging people to play with
>> fireworks. Too bold of a statement? I think not. Fireworks can make a
>> spectacular show, but they can also be abused and cause serious damage. In
>> most states, only people licensed and trained are permitted to set off
>> fireworks.
> 
> Fireworks are macroscopic physical objects the transportation which can
> reasonably be regulated.
> 
>> Now consider a pen test tool. In its open form, on the Internet, everyone
>> and anyone can use it to test their systems, but in the wrong hands, for
>> free, it can be used to break into systems and cause disruption, steal
>> information, or cause even more permanent types of harm.
> 
> Yep.
> 
> Your mistake is assuming that there is some jurisdiction of law that
> encompasses the Internet. Indeed, it appears that often the adversary is
> a state entity itself.
> 
> Those who accept this argument that testing tools should be somehow
> restricted are only tying their own hands. You can bet that your
> adversary will not feel so restricted (if you have anything actually
> worth protecting that is.)
> 
> It is even more foolish to assume that your adversary doesn't already
> have it.
> 
>> How many people remember the 80’s TV show Max Headroom?
> 
> I stop reading now.
> 
> - Marsh
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvgW0EACgkQkSlsbLsN1gBw8QcAra1aONNBorzhlwi4kNoRlw9G
rm5FlvMw3Sv7m9tzqrqGIn9lIho/somrbl4jQ8T/woJK+gS4gccS4UqV1XkvW9aR
W7ROz2eTezsUgTwyHU3tW9VuwsinFvO5n6XowCFG1pAO/O/7y+eN1usYYdz3W9Wm
ORtmxcRNyb/cYmSMuTq+3dktOG7s+XWA47FaGkfdjzTefA7dGYyUx/zysCnFKLbX
eLVA7GL79KSr6SB37uOi4vgyN0hze/p1vMw9POTo0Bhq4nT1Y1/5oyYhd29+aH9M
h3fQ/V96SFCAy1Cqq9U=
=oDqa
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists