The problem IMHO is lots
of people out there still believe in security by obscurity.
Translated for this specific case, they think if Metasploit for instance
was never born,
there would have been less pwnage in the world.
There are too many examples this statement is obviously wrong.
Many times the only way to "wake up" sleeping vendors, lazy with
patching, is exactly
creating a tool that automates attacks and pwnage.
You can't imagine how many attacks in BeEF are not working anymore
(sigh) because
vendors silently patched the bug after we wrote or ported an exploit to
BeEF.
So as you can see below, I'll be at RSA asking Andrew Jaquith why on
earth he thinks penetration testing tools are evil. To be honest, I
have no idea. Does that also imply penetration testing is evil, or
is he saying that penetration testing tools make people lazy and
therefor you get better penetration tests without them, in which
case I'll try to get him to write his future papers without a
keyboard or something.
Speaking of penetration testing tools - Immunity is hiring CANVAS
developers here in Miami Beach. If you want to work on CANVAS and
you speak both assembly language and Python and have a passion for
building awesome tools that let people break into systems (some of
which we make public!), then send me an email.
We're also hiring an experienced Django web developer.
You do also have to be legal to work here in Miami or Washington DC
for these positions.
