Backpeddled But Still Very Wrong

I guess all of the attention that the mindless blog post by eEye created has caused them to backpeddle quite a bit.  Sadly Morey is still way off the mark and if anything just made it more clear that he is attempting to use this as a reason you should buy their product and not use the free and better tools out there.  I did a quick check of Google Cache and was not able to find the original post but here is the text of the post from yesterday;

Penetration Tools Can Be Weapons in the Wrong Hands
Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
Vulnerability Management

After a lifetime in the vulnerability assessment field, I’ve come to look
at penetration testing almost as a kind of crime, or at least a misdemeanor.

We enjoy freedom of speech, even if it breaks the law or license
agreements. Websites cover techniques for jailbreaking iPhones even though
it clearly violates the EULA for Apples devices. Penetration tools clearly
allow the breaking and entering of systems to prove that vulnerabilities are
real, but clearly could be used maliciously to break the law.

Making these tools readily available is like encouraging people to play
with fireworks. Too bold of a statement? I think not. Fireworks can make a
spectacular show, but they can also be abused and cause serious damage. In
most states, only people licensed and trained are permitted to set off

Now consider a pen test tool. In its open form, on the Internet, everyone
and anyone can use it to test their systems, but in the wrong hands, for
free, it can be used to break into systems and cause disruption, steal
information, or cause even more permanent types of harm.

How many people remember the 80’s TV show Max Headroom? Next to murder, the
most severe crime was if users illegally used information technology systems
to steal information or make money. There was tons of security around these
systems and even possession of tools to penetrate a system was a crime too.
So what’s the difference?

Yes, it is just a TV show but in reality today we are in effect putting
weapons in people’s hands, not tracking them, and allowing them to use them
near anonymously to perform crimes or learn how to perform more
sophisticated attacks. It all comes back to the first amendment and Freedom
of Speech. I can write a blog of this nature, state my opinion about how I
feel about free penetration testing tools, and assure everyone that they
need defenses to protect their systems, since free weapons are available
that can break into your systems – easily.

And now today, it has been replaced with (;

The post I had here earlier was worded in a way that was misleading, and I want to rewrite it now so that I’m perfectly clear.

Thousands of legitimate individuals and businesses (including eEye) perform penetration testing, which is useful, required by regulatory compliance, and a very important tool in the security industry. Referring to it as anything besides a tool is a poor choice of language, and I want to correct it. My main issue is with running penetration testing tools against assets that the user either does not own or is not responsible for. And, the easy availability of such tools, often free of charge, opens the door for this potential abuse. On the contrary, it also makes it easier for businesses to test themselves whether a vulnerability can be exploited. This is a difficult balance.

With many years in this business, I’m well acquainted with what can go wrong, and what I hoped to convey was the importance of well-managed testing under the watch of a user who knows what they’re doing. When these tools aren’t used as they are intended to be, with care and professionalism, damage can be done. Having them free, and readily available for everyone increases the risk of the wrong person, using the right tools, in the wrong way.

So now all Morey was trying to say is that running a free tool against an asset you do not own or have permission to “attack” is a bad thing.  He stops short in saying how we proposes we solve this problem but I am sure that is on purpose in order to prevent falling down the rabbit-hole of this discussion and yet again making completely stupid and undefendable statements.  Besides, isn’t this just like saying that doing is bad?

However, once again, Morey completely missed the point.  Taking a tool and charging money for it will not deter an attacker.  Attackers, the real ones not the kiddies that get caught, already have their own toolsets and shared knowledge base.  If they absolutely require a commercial tool to do their job, which is a laughable scenario, there are enough places to get them for free.  I mean one can simply download a free trial of Retina, eEye’s vulnerability assessment tool, and then easily crack it.  A quick search of popular torrent and other warez resources easily proves that all the commercial tools are just as easily available as the “free” ones.

But a real attacker, the ones companies like eEye cannot protect you from, will not use or need these tools regardless of their cost.  Once again, Morey makes former eEye Researchers sad by demonstrating his complete understanding of the very basic concepts of the Information Security and demonstrating just how far eEye has fallen.

Time to go pour a 40 out for our fallen homies….

UPDATE:  With Blackhat coming up and in good fun and as a joke (please read that 10 times as I still have a ton of respect for a lot of my former co-workers at eEye) I had to do this;

Remember this from I think 2005?

This year it should be this T-Shirt:


3 Responses to “Backpeddled But Still Very Wrong”

  1. B.A. Barakus Says:

    Wow what in the hell is going on over there at eEye? The lights are on but no one’s home…..

  2. The original:

    “Making these tools readily available is like encouraging people to play
    with fireworks. Too bold of a statement? I think not. ”

    What part of that was unclear?

    I mean, if we dare to risk saying anything significant, eventually we say something dumb that we wish we could take back. I think everyone would understand a “gee I must have been on crack when I wrote that” type retraction.

    Computer security needs some boldness. Taking away the original and substituting something all wishy-washy is now lame.

  3. MrDrunkNightRisin Says:

    This debate is interesting with the past day’s news of a Google researcher going nuts and posting a Microsoft zero day with four days warning. Oh. Drama. Fight, fight. Cat fight. Or something.

    But, as everyone understands on a basic level: the eEye research team was on the right road, with the right intentions, sometimes having to make hard choices. Fact of life in the security business.

    Morey is a sales guy. I am not sure where he is coming from on all of this, but he clearly is missing the full picture. In security, you have to consider all the angles. That is what we do.

    Liberal, conservative, Democrat, Republican: Whatever. What matters is the bottom line. What is right, what is best… in often morally grey areas.

    Nothing is perfect, nothing is ultimately good. And in security you deal with human lives or that which ultimately effects human lives. Sometimes dramatically. You have to choose between the lesser of two evils… because that is all there is. A reality people outside of the industry or peripheral to it can pretend does not exist.

    Hate to burst their bubble of goodness there.

    There do remain good people at eEye. And I am not making a moral judgment here on Morey. But, the research team is gone.

    I worked there. You know what most employers say? What most companies say? “Who is eEye”. Or better, they mispronounce it. “I-I”. Uhm. (Thought, “and you have how much experience in this industry?”)

    Such is life.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: