On the heels of Verizon calling many researchers "Narcissistic Vulnerability Pimps", Morey Haber of eEye Digital Security has written a silly piece declaring his feelings that penetration testing is like "a kind of crime". This of course betrays the history of his company and how they broke into the market (selling vulnerability scanners). It is clear that Haber is disconnected from his company and industry, or just pandering for attention.
Update: Later in the day, Haber updated the blog based on a lot of (negative) feedback. The new version gets boiled down to "tools can be used for good and bad", an argument the security industry clearly hasn't heard before. I'm not sure what is more damning, that Haber released the blog without considering his wording, or that he couldn't stick to his controversial standpoint.
After a lifetime in the vulnerability assessment field, I've come to look at penetration testing almost as a kind of crime, or at least a misdemeanor.
[Penetration testing is a legitimate business that involves signed contracts, signed indemnification agreements and the exchange of money. It is no different than paying someone to come fix your broken appliance. Equating penetration testing to a crime is absurd.
Given that eEye offers penetration testing, even going so far as to use the trademarked "Any Means Possible" (AMP), one has to wonder what happened to Haber and eEye to cause them to post this garbage.]
We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices. Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.
Making these tools readily available is like encouraging people to play with fireworks. Too bold of a statement? I think not. Fireworks can make a spectacular show, but they can also be abused and cause serious damage. In most states, only people licensed and trained are permitted to set off fireworks.
[This argument / debate goes back some 20 years and wonder if Haber's "lifetime" in the field forgets this.
In most states, anyone can purchase and set off fireworks, without a license. This statement is just pure ignorance. A better analogy dating back decades is that of a car. It can be used for good or bad, but either way it requires a license to operate. Of course, a person using it to break the law will also not care about a license, but that is a minor detail that is best overlooked as it craps all over his silly argument.]
Now consider a pen test tool. In its open form, on the Internet, everyone and anyone can use it to test their systems, but in the wrong hands, for free, it can be used to break into systems and cause disruption, steal information, or cause even more permanent types of harm.
How many people remember the 80's TV show Max Headroom? Next to murder, the most severe crime was if users illegally used information technology systems to steal information or make money. There was tons of security around these systems and even possession of tools to penetrate a system was a crime too. So what.s the difference?
Yes, it is just a TV show but in reality today we are in effect putting weapons in people's hands, not tracking them, and allowing them to use them near anonymously to perform crimes or learn how to perform more sophisticated attacks. It all comes back to the first amendment and Freedom of Speech. I can write a blog of this nature, state my opinion about how I feel about free penetration testing tools, and assure everyone that they need defenses to protect their systems, since free weapons are available that can break into your systems - easily.
[Haber doesn't bother to answer the question, "what about eEye"? Not only do they sell a vulnerability scanner to anyone with money (regardless of ethics), they sell it to people in countries that are considered hostile to us. Sell to North Korea, Iran, Iraq or anyone else, no problem! Even better, for years eEye released free limited versions of their vulnerability scanner that would find specific high profile vulnerabilities. This is the same as eEye releasing video footage and security patrol schedules for the local bank so you can more easily break in. eEye was also well known for releasing detailed technical advisories outlining vulnerabilities in software used by millions of people world-wide. Why did Haber happily take a paycheck that came from vulnerability scanner sales riding on the back of advisories that made it more easy for anyone to break into systems? ]