-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For an interesting take on this see page xxxix in Ross Anderson's "Security Engineering" (the Legal Notice). Apparently the debate over whether or not to publish tools/techniques that could be used for evil (specifically with respects to crypto) dates back to 1641.
Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 05/04/2010 01:32 PM, Marsh Ray wrote: > > On 5/3/2010 7:44 PM, Sec News wrote: >> Did anyone else see this? >> >> http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands >> >> """ >> Penetration Tools Can Be Weapons in the Wrong Hands >> Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security, >> Vulnerability Management >> >> After a lifetime in the vulnerability assessment field, I’ve come to look at >> penetration testing almost as a kind of crime, or at least a misdemeanor. > > Is this for real? > >> We enjoy freedom of speech, even if it breaks the law or license agreements. > > No, there are laws and contracts that can restrict speech. > >> Websites cover techniques for jailbreaking iPhones even though it clearly >> violates the EULA for Apples devices. > > Since when did devices have an EULA? I haven't bought an Apple in modern > times, do they make you sign something before buying it? > >> Penetration tools clearly allow the >> breaking and entering of systems to prove that vulnerabilities are real, but >> clearly could be used maliciously to break the law. > > It took you a lifetime in the vulnerability assessment field to figure > this out? > >> Making these tools readily available is like encouraging people to play with >> fireworks. Too bold of a statement? I think not. Fireworks can make a >> spectacular show, but they can also be abused and cause serious damage. In >> most states, only people licensed and trained are permitted to set off >> fireworks. > > Fireworks are macroscopic physical objects the transportation which can > reasonably be regulated. > >> Now consider a pen test tool. In its open form, on the Internet, everyone >> and anyone can use it to test their systems, but in the wrong hands, for >> free, it can be used to break into systems and cause disruption, steal >> information, or cause even more permanent types of harm. > > Yep. > > Your mistake is assuming that there is some jurisdiction of law that > encompasses the Internet. Indeed, it appears that often the adversary is > a state entity itself. > > Those who accept this argument that testing tools should be somehow > restricted are only tying their own hands. You can bet that your > adversary will not feel so restricted (if you have anything actually > worth protecting that is.) > > It is even more foolish to assume that your adversary doesn't already > have it. > >> How many people remember the 80’s TV show Max Headroom? > > I stop reading now. > > - Marsh > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkvgW0EACgkQkSlsbLsN1gBw8QcAra1aONNBorzhlwi4kNoRlw9G rm5FlvMw3Sv7m9tzqrqGIn9lIho/somrbl4jQ8T/woJK+gS4gccS4UqV1XkvW9aR W7ROz2eTezsUgTwyHU3tW9VuwsinFvO5n6XowCFG1pAO/O/7y+eN1usYYdz3W9Wm ORtmxcRNyb/cYmSMuTq+3dktOG7s+XWA47FaGkfdjzTefA7dGYyUx/zysCnFKLbX eLVA7GL79KSr6SB37uOi4vgyN0hze/p1vMw9POTo0Bhq4nT1Y1/5oyYhd29+aH9M h3fQ/V96SFCAy1Cqq9U= =oDqa -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/