lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 5 May 2010 11:27:36 -0700
From: J Roger <securityhocus@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: WTF eEye Really?

>
> And if the author is sincere and it was really his original intent, he
> should refrain from blogging from now on...
>

I have a feeling his employer will see to that for the foreseeable future.
At least in a professional context representing them as a company.

If he really meant it as everyone that read the original post seemed to take
it, then he should have the balls to stand by what he said or admit he meant
it at the time but was wrong and has since learned different. Either one of
those options would be a mature way of handling the situation. Trying to
spin it as "what I said isn't what I really meant. What I really meant is
something so benign that no one could have a strong opinion about it and it
was really pointless to even blog about." comes across as insincere.

What do I know though, Mr. Haber is the one with the lifetime in the
vulnerability assessment field.

JRoger


2010/5/5 Sébastien Duquette <ekse.0x@...il.com>

> Looks to me more like the "unqualified person doing testing" argument
> is used as an escape from their faux-pas.  When you read the initial
> article, the author is clearly interested in the issue of crime being
> perpetrated by using these tools :
>
> "Penetration tools clearly allow the breaking and entering of systems
> to prove that vulnerabilities are real, but clearly could be used
> maliciously to break the law."
>
> "There was tons of security around these systems and even possession
> of tools to penetrate a system was a crime too."
>
> In the new text, the author tells us that "what I hoped to convey was
> the importance of well-managed testing under the watch of a user who
> knows what they’re doing".
>
> This looks like a lame PR attempt at stopping the shitstorm they
> started by using the good old excuse this-is-not-what-I-meant.
>
> And if the author is sincere and it was really his original intent, he
> should refrain from blogging from now on...
>
> S.
>
>
> On Tue, May 4, 2010 at 11:48 AM, Mike Hale <eyeronic.design@...il.com>
> wrote:
> > Looks like he rewrote it and clarified what he meant to say.
> >
> > I think this is a lesson on why you really should proofread stuff and
> > ask someone else to go over your writings before you publish
> > something.
> >
> > On Mon, May 3, 2010 at 5:44 PM, Sec News <secnewz@...il.com> wrote:
> >> Did anyone else see this?
> >>
> >>
> http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands
> >> """
> >> Penetration Tools Can Be Weapons in the Wrong Hands
> >> Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
> >> Vulnerability Management
> >>
> >> After a lifetime in the vulnerability assessment field, I’ve come to
> look at
> >> penetration testing almost as a kind of crime, or at least a
> misdemeanor.
> >>
> >> We enjoy freedom of speech, even if it breaks the law or license
> agreements.
> >> Websites cover techniques for jailbreaking iPhones even though it
> clearly
> >> violates the EULA for Apples devices. Penetration tools clearly allow
> the
> >> breaking and entering of systems to prove that vulnerabilities are real,
> but
> >> clearly could be used maliciously to break the law.
> >>
> >> Making these tools readily available is like encouraging people to play
> with
> >> fireworks. Too bold of a statement? I think not. Fireworks can make a
> >> spectacular show, but they can also be abused and cause serious damage.
> In
> >> most states, only people licensed and trained are permitted to set off
> >> fireworks.
> >>
> >> Now consider a pen test tool. In its open form, on the Internet,
> everyone
> >> and anyone can use it to test their systems, but in the wrong hands, for
> >> free, it can be used to break into systems and cause disruption, steal
> >> information, or cause even more permanent types of harm.
> >>
> >> How many people remember the 80’s TV show Max Headroom? Next to murder,
> the
> >> most severe crime was if users illegally used information technology
> systems
> >> to steal information or make money. There was tons of security around
> these
> >> systems and even possession of tools to penetrate a system was a crime
> too.
> >> So what’s the difference?
> >>
> >> Yes, it is just a TV show but in reality today we are in effect putting
> >> weapons in people’s hands, not tracking them, and allowing them to use
> them
> >> near anonymously to perform crimes or learn how to perform more
> >> sophisticated attacks. It all comes back to the first amendment and
> Freedom
> >> of Speech. I can write a blog of this nature, state my opinion about how
> I
> >> feel about free penetration testing tools, and assure everyone that they
> >> need defenses to protect their systems, since free weapons are available
> >> that can break into your systems – easily.
> >> """
> >> WOW - am i the only one to go WTF to this?  Talk about alienating your
> >> customers and shitting where you eat.
> >> And to think i used to be a fan...
> >> - Some anonymous ex-eEye fan
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists