[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: Re: [Dailydave] Defending the honor of...penetration testing tools
From: Anton Chuvakin <anton () chuvakin ! org>
Date: 2013-02-13 1:54:38
Message-ID: CAMprzLoz8cjyizP9ZYvYR3i8zSGN1sdxqwF0QH7mDGzjtRRzZA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <dave@immunityinc.com> wrote:
> So as you can see below, I'll be at RSA asking Andrew Jaquith why on
> earth he thinks penetration testing tools are evil. To be honest, I have no
> idea. Does that also imply penetration testing is evil, or is he saying
> that penetration testing tools make people lazy and therefor you get better
> penetration tests without them, in which case I'll try to get him to write
> his future papers without a keyboard or something.
>
Well, I can't say why he thinks they are evil, but I often thought that
their NAME is. Often, when I hear people say "penetration testing tools"
they *automatically* assume that "running that tool == penetration test."
After all, "X tool" in many minds means "tools that does X." Penetration
tools, last time I checked, don't DO penetration testing. Humans do. You
can insert all the jokes about stupid people and all, but this sentiment is
very, very contagious.
Therefore I often avoided naming them in my work and instead used
some kludge like "exploitation tools", or (please don't laugh) "tools
[somewhat] helpful during penetration testing."
--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Twitter: @anton_chuvakin
Work: http://www.linkedin.com/in/chuvakin
[Attachment #5 (text/html)]
<div dir="ltr">On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <span dir="ltr"><<a \
href="mailto:dave@immunityinc.com" \
target="_blank">dave@immunityinc.com</a>></span> wrote:<br><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
So as you can see below, I'll be at RSA asking Andrew Jaquith why on
earth he thinks penetration testing tools are evil. To be honest, I
have no idea. Does that also imply penetration testing is evil, or
is he saying that penetration testing tools make people lazy and
therefor you get better penetration tests without them, in which
case I'll try to get him to write his future papers without a
keyboard or something.<br></div></blockquote><div><br></div><div></div></div><div><br></div>Well, \
I can't say why he thinks they are evil, but I often thought that their NAME is. \
Often, when I hear people say "penetration testing tools" they \
*automatically* assume that "running that tool == penetration test." After \
all, "X tool" in many minds means "tools that does X." \
Penetration tools, last time I checked, don't DO penetration testing. Humans do. \
You can insert all the jokes about stupid people and all, but this sentiment is very, \
very contagious.<div>
<div><br></div><div>Therefore I often avoided naming them in my work and instead used \
some kludge like "exploitation tools", or (please don't laugh) \
"tools [somewhat] helpful during penetration testing."<br clear="all">
<div><br></div>-- <br>Dr. Anton Chuvakin<br>Site: <a href="http://www.chuvakin.org" \
target="_blank">http://www.chuvakin.org</a><br>Twitter: @anton_chuvakin<br>Work: <a \
href="http://www.linkedin.com/in/chuvakin" \
target="_blank">http://www.linkedin.com/in/chuvakin</a> </div></div></div>
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic