Penetration Tools (Updated)
The post I had here earlier was worded in a way that was misleading, and I want to rewrite it now so that I’m perfectly clear.
Thousands of legitimate individuals and businesses (including eEye) perform penetration testing, which is useful, required by regulatory compliance, and a very important tool in the security industry. Referring to it as anything besides a tool is a poor choice of language, and I want to correct it. My main issue is with running penetration testing tools against assets that the user either does not own or is not responsible for. And, the easy availability of such tools, often free of charge, opens the door for this potential abuse. On the contrary, it also makes it easier for businesses to test themselves whether a vulnerability can be exploited. This is a difficult balance.
With many years in this business, I’m well acquainted with what can go wrong, and what I hoped to convey was the importance of well-managed testing under the watch of a user who knows what they’re doing. When these tools aren’t used as they are intended to be, with care and professionalism, damage can be done. Having them free, and readily available for everyone increases the risk of the wrong person, using the right tools, in the wrong way.
Permanent Link
I agree, giving someone these tools can lead to bad things, but they can also help us defend against those same attacks. Take Metasploit or Nmap for example, if these tools were not available to the general population would they not be available on “underground” sites? Does anyone remember astalavista.box.sk?
When listening to HD, Fyodor, or any other respected security professional speak they’ve always preached the issue of responsibility. Groups make games like the UCSB iCTF available for young people to have a legal outlet to challenge themselves. If we take away these freely available tools would we only be left with expensive, commercials tools like Retina? I cannot afford these tools on my personal budget (my wife is kind enough with the budget I get) but if I were motivated by money I’m sure I could afford a license, of course a criminal would probably just steal one.
So as long as penetration tools are commercial and people have to pay for them, then it’s ok?
Did you hit your head? This has to be the most ridiculous and hypocritical post I have ever read in my life. How does eEye perform penetration testing and do they somehow have magical penetration testing tools that are not weapons for them but weapons for everyone else?
http://www.eeye.com/Services/Penetration-Testing.aspx
Based on eEye’s history, you may want to rethink your stance on this.
http://hellnbak.wordpress.com/2010/05/03/how-the-mighty-have-fallen
Do you have any idea the potential uses of some of these free penetration tools? Do you have any idea how valuable they are to those of us in the security industry? There are those of us that regularly use these tools to do our jobs. The very fact that the Metasploit project releases a module for the Framework is in many ways a relief, I can simply analyze the exploit from a known quality source and develop signatures (or test provided signatures) to ensure I can detect it instead of having to reverse engineer it from scratch.
The fact that the bad guys have these free tools is really a moot point, since they have all of the commercial tools as well. Don’t tell me you track every sale you make, you don’t. When I worked at your competitor we had copies of all of your products purchased through resellers and various front companies, there was even a full-time competitive intelligence guy on the payroll whose job it was to buy everything from every one of our competitors, including you. We had loyal customers that would load competitor demo software (usually 100% functional with a date-based limited license) on test systems and send us mirrored copies of the drives. I can only imagine what a truly motivated bad guy (or nation state) might do.
Just out of curiosity, ever sell a copy of your software to a Chinese-based company? Isn’t that the same thing, perhaps even worse?
I have to disagree and for many reasons. To begin with it is preposterous for a commercial entity who sells and markets tools with capabilities (many of which were there no licensing or bottom line being met on the part of the organization), to be taken seriously with this type of message. Recall that the commercial vulnerability market began as an extension of an open source project (Chris Klaus’ ‘Internet Scanner’ was open source and free for 3 years prior to the incorporation of ISS). Were all open source tools suddenly gone tomorrow would that change the problems being faced by system administrators, network administrators, security practitioners and management elements? I believe the answer is ‘no’. It wouldn’t change a thing as individuals would either create what they found absent in the commercial market (or the ‘black’ market for that matter), or just begin going about the process of assessing a host or networks risk posture the old fashioned way: enumeration of the devices (detection), identification, observation and manual followed shortly thereafter by automated (scripted), exploitation…you see, it’s not a question of tool availability; if people have the inclination they will build what they need, but rather one of responsible use. The same argument you’re making could be used for the justification of the removal of all fire arms; if they weren’t available crime would go down. Perhaps. Or, perhaps were they not available crime would surge in an unprecedented level.
Since you relate the use of free pen test tools to fireworks as an argument, it should probably be pointed out that the majority of states in the US permit consumer fireworks, and only a very few disallow them. See: http://www.cpsc.gov/cpscpub/pubs/012.html
Perhaps the free pen test tools are “consumer grade” vs. the commercially licensed products that, to follow your analogy, should apparently only be used by licensed professionals (though frankly, I know folks in #metasploit that I trust with these tools more than many CISSPs that I know…)
Either way, I’m glad these tools are available, and free, and I am as grateful that I can use them as I am for the fond memories I have of lighting off fireworks with my family as a child. There’s something about being out in the field and participating that makes the moment much more enjoyable than simply watching someone else do it for you.
i take it we should just pay eeye to protect us… all the world needs to protect us is retina right?
Weak, regressive analysis, and one that plays into the hands of those who long to hamstring the entire industry. Even if I entertain this ludicrous argument (one that makes me seriously worry about eEye, I might add) it’s clear that the word “weapon” is being applied incorrectly. People rarely describes tools that harm property (short of military arms) as “weapons”. Criminal statutes typically use other terminology for such tools. A “weapon” is something used to directly injure a human being, and no matter how powerful a tool a lockpick may be, nobody in their right mind considers a lockpick to be a prima facie “weapon”.
I’m frankly at a loss as to which “front lines” eEye is supposed to be reporting from here.
I appreciate all the comments, and I want to make sure we’re all clear on the purpose of this post. That’s why I’ve rewritten it; please see above. Thanks -
Morey
“When these tools aren’t used as they are intended to be, with care and professionalism, damage can be done.”
This comment makes sense in the way you appear to intend it, but defining the intent of a tool’s author is probably far beyond what you are able to do within a blog post, as you are not the author(s) of these tools.
“Having them free, and readily available for everyone increases the risk of the wrong person, using the right tools, in the wrong way.”
This is still the wrong idea. “Free” has nothing to do with anything. This idea still appears to imply that “free” tools may somehow be more dangerous than commercial ones, which would seem to be an idea that appeals to eEye’s marketing strategy. Bleh.
Rewritten it…
At least you should have left the older version. For the sake of understanding the full story behind your post…
Most of the best security guys in the US today started out as hackers. Where is the next generation going to come from if the tools and information are not freely available? Limiting access to information and tools in one country will do nothing but insure the next generation comes from a country where access is not limited. I don’t think that is helpful in the long run.
I’ll let the revised article speak for itself.
The original is quoted in the [Full-disclosure] archives.
>Geo says: Most of the best security guys in the US today started out as hackers.
>Where is the next generation going to come from if the tools and information
>are not freely available?
Hackers develop the tools and find the information without asking permission first.
> Limiting access to information and tools in one
>country will do nothing but insure the next generation comes from a country
>where access is not limited.
If anything, it would incentivize fresh research. Much like how US crypto export regulations inspired the rest of the world to develop that field.
Again, I appreciate all the comments and arguments. With that, I’d like to close the comments on this thread. We’ll move on to a new topic and a new conversation tomorrow.