everyone who is not a kiddie knows rsnake is a joke, just like anyone else involved in his *.ackers group. If rsnake was to post to places like this instead of lamer 'hacker'/'security' magazines then he would be ridiculed off the list like pdp architect was. Instead I believe rsnake knows hes a kiddie so he sticks to places with non-technical people and does not involve himself with people who actually know what they are talking about.
I picked on Adam Munter mostly because his lame intern decided to spout up on the list only to end up being a kiddie, and also Adam brought it upon himself by putting any worth into what secreview says and replying to their review. On Jan 2, 2008 12:02 AM, Andre Gironda <[EMAIL PROTECTED]> wrote: > On Jan 1, 2008 9:51 PM, reepex <[EMAIL PROTECTED]> wrote: > > ok so they are nothing alike because ptp/hts actually teach you stuff > while > > "UPT" was for jokes... so your post was stupid > > The joke's on you since you don't have the context. > > > I am not a part of secreview but I realize following email threads is > very > > complicated for you. > > It's not complicated. I simply just don't care about who you are as > it relates to the thread. You appear to be attacking the > person/people I'm defending, while at the same time defending the > secreview post. > > > So you list 5 tools they use then mention they modify a javascript > > library... So basically they use automated tools and are former web > > developers ... sound pretty hardcore > > Javascript is more than just a language for web developers, especially > when utilized in the Hailstorm SmartAttack library, which isn't a > Javascript library. These are completely different concepts. It > should also be noted that both Burp Suite and Hailstorm ARC can be > used in manual and hybrid modes... with step-modes and form-trainers. > They can modify their traversals and have tons of extra customization > on top of what other offerings provide... and can customize the > underlying "data-driven" attacks. > > Certainly you've read some of Adam Muntner's comments on, say, > ha.ckers.org and other places? > > Allow me to pick on someone in the industry for a second: RSnake. > > RSnake has an advertisement up on his website that asks, "Which web > application scanner can hack it?" "Check the Oct 15 post for study > results:" > > http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/ > > Most idiots will only read what RSnake / Larry Suto have written, and > will completely miss the comments by Adam Muntner. Adam not only > eloquently puts down the testing techniques by Larry Suto, but also > makes mention about proper customization of tools and testing outside > of the commercial scanners. > > Effectively, Adam Muntner is one of the only people that does > understand this problem that you specifically says that he does not, > and that the secreview challenge seems to care about most of all other > points. > > Where was reepex, where was secreview when RSnake and Larry Suto > blundered our industry into submission? Why pick on a hero like Adam > Muntner instead? What are you getting out of it? > > Worse - RSnake hasn't been called out on this yet - but he has good > reason to promote Larry's paper. In fact, it may even be a monetary > reason. In an article for INSECURE Magazine, they interview RSnake > (page 30): > http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf > > Question; What web application scanners do you use? > > RSnake: [...] my favorite tools in my arsenal (including the manual > ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap, > NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a > half dozen Firefox plugins like Webdeveloper, JSView, NoScript, > Greasemonkey etc... and the entire suite of unix utils out there, like > wget, telnet, ncftp, etc. > > Notice the only commercial tool listed in NTOSpider. Coincidence? > > Apparently, too much admiration of a single web application security > scanning vendor can be a bad thing. Larry Suto has only ever worked > with Eric Caso at NTObjectives. > > Adam Muntner has been a customer of several CWE-Compatible and > aspiring companies out there. He has a balanced view of both the > commercial tools and the open-source world, as well as building his > own tools from scratch as the need may be. > > > You must be a cissp because you take yourself and the internet very > > seriously. I am pretty sure no one cares about your opinion either. > > Wrong again; as always. > > Cheers, > Andre >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/