[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4BE05B41.4010603@madirish.net>
Date: Tue, 04 May 2010 13:37:05 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: WTF eEye Really?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For an interesting take on this see page xxxix in Ross Anderson's
"Security Engineering" (the Legal Notice). Apparently the debate over
whether or not to publish tools/techniques that could be used for evil
(specifically with respects to crypto) dates back to 1641.
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
On 05/04/2010 01:32 PM, Marsh Ray wrote:
>
> On 5/3/2010 7:44 PM, Sec News wrote:
>> Did anyone else see this?
>>
>> http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands
>>
>> """
>> Penetration Tools Can Be Weapons in the Wrong Hands
>> Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
>> Vulnerability Management
>>
>> After a lifetime in the vulnerability assessment field, I’ve come to look at
>> penetration testing almost as a kind of crime, or at least a misdemeanor.
>
> Is this for real?
>
>> We enjoy freedom of speech, even if it breaks the law or license agreements.
>
> No, there are laws and contracts that can restrict speech.
>
>> Websites cover techniques for jailbreaking iPhones even though it clearly
>> violates the EULA for Apples devices.
>
> Since when did devices have an EULA? I haven't bought an Apple in modern
> times, do they make you sign something before buying it?
>
>> Penetration tools clearly allow the
>> breaking and entering of systems to prove that vulnerabilities are real, but
>> clearly could be used maliciously to break the law.
>
> It took you a lifetime in the vulnerability assessment field to figure
> this out?
>
>> Making these tools readily available is like encouraging people to play with
>> fireworks. Too bold of a statement? I think not. Fireworks can make a
>> spectacular show, but they can also be abused and cause serious damage. In
>> most states, only people licensed and trained are permitted to set off
>> fireworks.
>
> Fireworks are macroscopic physical objects the transportation which can
> reasonably be regulated.
>
>> Now consider a pen test tool. In its open form, on the Internet, everyone
>> and anyone can use it to test their systems, but in the wrong hands, for
>> free, it can be used to break into systems and cause disruption, steal
>> information, or cause even more permanent types of harm.
>
> Yep.
>
> Your mistake is assuming that there is some jurisdiction of law that
> encompasses the Internet. Indeed, it appears that often the adversary is
> a state entity itself.
>
> Those who accept this argument that testing tools should be somehow
> restricted are only tying their own hands. You can bet that your
> adversary will not feel so restricted (if you have anything actually
> worth protecting that is.)
>
> It is even more foolish to assume that your adversary doesn't already
> have it.
>
>> How many people remember the 80’s TV show Max Headroom?
>
> I stop reading now.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkvgW0EACgkQkSlsbLsN1gBw8QcAra1aONNBorzhlwi4kNoRlw9G
rm5FlvMw3Sv7m9tzqrqGIn9lIho/somrbl4jQ8T/woJK+gS4gccS4UqV1XkvW9aR
W7ROz2eTezsUgTwyHU3tW9VuwsinFvO5n6XowCFG1pAO/O/7y+eN1usYYdz3W9Wm
ORtmxcRNyb/cYmSMuTq+3dktOG7s+XWA47FaGkfdjzTefA7dGYyUx/zysCnFKLbX
eLVA7GL79KSr6SB37uOi4vgyN0hze/p1vMw9POTo0Bhq4nT1Y1/5oyYhd29+aH9M
h3fQ/V96SFCAy1Cqq9U=
=oDqa
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists