-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The ends cannot justify the means.
I would advise against doing anything of this sort, for three reasons:
1. It is unprofessional, unethical, and illegal in nearly every country with a
computer law. It is
unequivocally banned by any professional organization worth mentioning. An act
like this would (to
me) be an egregious violation of familial trust and privacy as well. My friends
and family know I
can break their shit; they trust me not to predominantly because I never have.
I can pick most
common household deadbolts as well; I however do not demonstrate how easily
most common household
deadbolts can be picked by breaking into the homes of my family. I ask
permission first.
2. It will make no difference. Sure, your family will understand that "you
hacked them", but that's
about it. I would fathom that the vast majority would understand neither the
attack vector used nor
any way to prevent a future recurrence. Most people would understand this about
as well as they
understand why a potato in a tailpipe will stop a car from starting. The
passing of little jokes and
recipes and pictures and whatnot through email is driven by social factors, and
can by extension
only be solved with social methods. Many will not only never trust you near a
computer again, they
will completely ignore you, as they do not have the technical expertise to
connect your attack to
chain emails and phishing attacks.
3. You may well do permanent damage. Consider that your attack model is
predicated on known
behaviours of computer systems, and then consider that many machines' logic may
already be altered
(by malware or otherwise), meaning that your targets' reactions will be
undefinable. You may simply
end up bluescreening a bunch of boxes, or possibly render some of them
unbootable (yes, it has
happened). It would be reckless and adversarial to carry this out where you
cannot reliably predict
the results, especially in light of your inexperience with the tools you intend
to employ. For
christ's sake, you don't even know that Meterpreter is memory resident only by
default. You're
playing with fire, and you may well get burned.
This sort of unprofessional vigilante hacktivism is exactly why people like me
get pulled aside at
border crossings by a public that does not understand my profession. I utterly
fail to understand
why people think this is acceptable while breaking and entering is not. It is
illegal, and with very
good reason. Violating the privacy of those who trust you to make a point is
unacceptable, whatever
the reason and whatever the method. I strongly urge you to contemplate the
legal, ethical, and
possibly destructive (both to computers and friendships) implications of what
you are considering.
P.S. Your evil scheme may well fail entirely and serve only to both embarrass
you and render your
future soapbox lectures useless. That bears mentioning as well.
On 10-11-30 8:27 PM, Brian Schultz wrote:
> I'm tired of explaining to my family the reasons for not opening e-mails or
> attachments from unknown
> sources and then having them forward me some sketchy e-mail saying "this is
> so funny, check it out".
> I'm sure there are plenty of you out there in the corporate world that can
> relate with your users.
>
> I figure it's time for me to arrange a wake up call and perform my own
> pentest against friends and
> family. I figure it would be easy enough to use SET to create a "malicious"
> website that will change
> their wallpaper and blast an e-mail out to everyone. My only concerns
> are...how do I go about
> getting Meterpreter off of their machine? The last thing I want to do is
> screw up everyone's computer.
>
> Sorry if this comes across as a dumb question, I haven't played around with
> SET or metasploit
> before. I'll probably figure this out as soon as I click send but it would be
> nice to hear from
> someone else or at least a point in the right direction. Thanks
- --
Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca
FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email
preferred
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkz2Dk0ACgkQFY4U1jfN6H8q2gCcDtucGQNnDaBUHjS8qHj0zCN/
4u0AoIhWH/NW9g71w7ffh9p748VZvl4+
=dvA8
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
