Slashdot Mirror


Son of SATAN? Weighing Security Software's Risks

ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.

50 of 128 comments (clear)

  1. Y'know by FrYGuY101 · · Score: 5, Insightful

    I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

    Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.

    --
    "If we let things terrify us, life will not be worth living."

    - Seneca
    1. Re:Y'know by David+Hume · · Score: 5, Insightful

      I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

      Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.


      I think the concern may be that the widespread, no-cost dissemination of tools like this decrease the costs and barriers to entry to malicious hacking. Many (if not most) of the script kiddies who may wind up using this and similar tools couldn't possibly "create their own." Simlarly, many (if not most) would not purchase, or even be pirate, commercial tools.

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      Please don't misunderstand; I am not suggesting that this ought to occur, or that I want it to occur. I am simply suggesting that as a pure matter of fact it may occur.

    2. Re:Y'know by Milo+Fungus · · Score: 4, Informative

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. ...we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      RMS already made that prediction, in The Right To Read (which is a really interesting read, by the way). The relevant passage:

      There were ways, of course, to get around the SPA and Central Licensing. They were themselves illegal. Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.

      Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.

      Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.

      His version of the prediction is a bit different, but it's the same idea. If you read through the entire story you will find an astonishing list of seemingly absurd predictions which are coming true one at a time. It's a bit unnerving to read, really.

    3. Re:Y'know by Kaa · · Score: 2, Insightful

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      Like, for example, a compiler?

      Not that I am a big fan of RMS, but his rants keep on looking less and less like paranoia and more and more like a no-rose-glasses view of the future...

      --

      Kaa
      Kaa's Law: In any sufficiently large group of people most are idiots.
  2. This could be a good tool if.... by millahtime · · Score: 4, Interesting

    This could be a good tool if admins actually used it (or some tool to look for holes) and patched the holes and watched their security. But, I have only worked at one place that has done this and the others were under the impression they didn't have to do it very often.

    Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.

    1. Re:This could be a good tool if.... by justMichael · · Score: 5, Insightful
      Although, I don't have a thing someone would want to hack.
      If you have a box that is online 24/7, you have something that, to someone is worth hacking.

      Whether they use to DDoS or as a spam relay or whatever else they may want it for, owned zombies are owned zombies.
    2. Re:This could be a good tool if.... by morcheeba · · Score: 4, Insightful

      Although, I don't have a thing someone would want to hack.

      Hackers wouldn't know that fact until after they've hacked into your system.

    3. Re:This could be a good tool if.... by LostCluster · · Score: 4, Insightful

      I don't have a thing someone would want to hack

      If you have outbound bandwidth, you have something a hacker wants. Once they 0wn your box, they'll install whatever application they want to run. Be it spamming, virus spreading, distributed computing, whatever... if your data is worthless, they can just delete it to get it out of their way.

  3. SATAN -> SAINT by stonebeat.org · · Score: 5, Funny

    The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet.
    The Metasploit Project and its founder, HD Moore, hope to change that perception.


    I thought changing the name from SATAN to SAINT, fixed that perception. I mean, how many attackers wanna use a tool called "SAINT", no matter how good it is.

  4. Re:Metadupe by Archangel+Michael · · Score: 4, Funny

    Its too bad we can't moderate editors as being -1 Redundant

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Nothing like testing security in the real world. by blcamp · · Score: 4, Interesting


    H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?


    I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.

    Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.

    --
    The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
  6. Many insightful comments... by Anonymous Coward · · Score: 5, Funny

    Please read my comments which I posted here. Thanks! :)

  7. Re:Metadupe - Previous Comments by millahtime · · Score: 2, Insightful

    Lets look back a couple days at the same story

  8. Sure, but ... by s20451 · · Score: 5, Insightful

    There's no substitute for a secure box. But what's lost on a lot of people is that security through obscurity is only bad if it's your only security method. True security doesn't mean that you paint a bull's eye on your forehead and taunt the crackers to come after you.

    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

    --
    Toronto-area transit rider? Rate your ride.
    1. Re:Sure, but ... by FrYGuY101 · · Score: 5, Insightful

      Conversely, if cracking tools like this are widely available, authors will be somewhat forced to at least use them to test before they release insecure software.

      Saying that these tools in and of themselves being widely available is a bad thing I'm still not sold on. Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either. That is why these tools exist, after all.

      --
      "If we let things terrify us, life will not be worth living."

      - Seneca
    2. Re:Sure, but ... by AftanGustur · · Score: 2, Informative


      If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

      There are a number of things wrong with your last statement. The biggest is that most people don't patch at all, and if they do, it is often only after some news media has reported major exploitation going on in the wild.

      Another thing is that software companies don't release patches unless there is an exploit (This is changing for the better though), and often the so called "fix" only stops that particular exploit from working.

      And thirdly, in order for exploit tools to be "hard to come by", you have to stop telling people that there is a problem/bug (otherwise, there is always some kid who will create a exploit, in order to educate himself about security problems, and then release it for the recognition by peers).

      In short, you would have to go back to the "good old days" of ~1990 where very few people had access to security information and the few that had the exploits could walk in and out of whatever systems that interested them. The print spooler exploit existed for at least two years before the problem was patched (three years for Sun systems because they patched it a year after everybody else) !!

      --
      echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
    3. Re:Sure, but ... by David+Hume · · Score: 3, Insightful

      Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either.


      I suspect the concerns (which I personally don't agree with) are that: (a) for every sysadmin who is trying to protect "his" system (while performing other tasks) there are numerous script kiddies who are trying to break into his system; and (b) particularly given the economy, and shrinking corporate IT budgets, the script kiddies have far more time on their hands. The question one might ask is, Who does the no-cost and low-barrier dissemination of the tool most empower?

      The alternatives are not necessarily limited to no dissemination. Some might argue for taking steps to try to limit dissemination of the tools to the "good guys" -- even is such steps would be imperfect.

      Further, if we are concerned about the externalities caused by 24/7 connected broad band home users who are unknowingly spewing spam, well, 24/7, we might have to recognize that few if any of them will ever use such tools to protect their systems, while the script kiddies will surely use such tools to hack them.

      Of course, the counter-argument re: home users is that "surely" somebody (Microsoft????) will use the tool to test the underlying software... and "surely" the home users will download the resulting patch. :)

    4. Re:Sure, but ... by stevey · · Score: 3, Interesting
      for every sysadmin who is trying to protect "his" system (while performing other tasks) there are numerous script kiddies who are trying to break into his system;

      It's also worth saying that that each sysadmin has to make sure that each of his boxes is fully patched, and all the software, infrastructure and daily maintainence of them is carried out.

      A kiddie only has to find one flaw to penetrate a system - maybe even in a system the admin didn't know about, or which is looked after by somebody else.

  9. For the /. crowd by Prince+Vegeta+SSJ4 · · Score: 5, Funny
    the original SATAN being released

    When was Bill Gates Arrested?

    1. Re:For the /. crowd by Mateito · · Score: 5, Funny
      When was Bill Gates Arrested?

      1977

  10. What's the controversy? by awkScooby · · Score: 5, Insightful
    Is the question, "should tools exist which allow system administrators to scan their boxes for known holes?" That's an easy one to answer: YES.

    A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.

    1. Re:What's the controversy? by LostCluster · · Score: 2, Insightful

      If a scanning tool is out for a certain hole... then it's safe to say that the whole world knows that hole exists. If you're at risk for it, you better have closed it up somehow. Patch or replace the application!

      Just pretending the hole doesn't exist and wishing the scanning tool would go away isn't security... making holes go away is security.

  11. mirror by ebilhoax · · Score: 3, Informative
    Here is a mirror just incase their site gets /.'d.

  12. To use the gun analogy: by normal_guy · · Score: 5, Insightful

    Companies that create software to exploit security vulnerabilities in common software in order to get commandline access to any system don't kill systems. Script kiddies do.

    --

    Linux: Free if your time is worthless.
  13. It's a dual edge sword by Anonymous Coward · · Score: 5, Insightful

    Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...

  14. Its Simple... by trp642 · · Score: 5, Insightful

    If guns are outlawed, only outlaws will have guns...

    If security scanning tools are outlawed, only outlaws will have security scanning tools...

    1. Re:Its Simple... by Mateito · · Score: 4, Funny

      If security scanning tools are outlawed, only outlaws will have security scanning tools...

      Somehow, Dirty Harry with a pirate copies of Nmap and Satan strapped to each side of his belt just doesn't have the same testostorone rating.

      But maybe they could rename Satan to "Clint".

    2. Re:Its Simple... by Lancer · · Score: 4, Funny

      I know what you're thinking... did he launch 5 TCP XMAS scans, or 6. Well, to tell you the truth, in all this excitement I kinda lost track myself. So you've got to ask yourself a question: do you feel lucky? Well do you, punk?

      --
      Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
  15. Leveling the field by Anonymous Coward · · Score: 5, Interesting

    Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.

    I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.

    If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.

    Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.

  16. Re:SATAN runs FreeBSD by platypibri · · Score: 4, Funny

    I thought us Mac users were the "religious zelots", and Bill Gates was the devil. Now you are telling me Windows is the blessed OS, and I'm a tool of SATAN? I'm going to have to take a course on the theology of computing to keep this all straight.

    --
    Yeah, I guess I'm funny like that.
  17. Suspicious Source by MicroBerto · · Score: 3, Funny
    Roblimo + Hemos = Rob Lemos

    Hmmmmm....

    --
    Berto
  18. Blah by Anonymous Coward · · Score: 4, Informative

    Some sleepy thoughts before I crash...

    This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".

    A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.

    This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.

    Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.

    However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.

    However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.

    1. Re:Blah by duffbeer703 · · Score: 2, Insightful

      There is no magic about exploiting security vulnerabilities. I have actually discovered or re-discovered exploits in the course of day-to-day Unix sysadmin duties.

      One of the biggest problems that we face is that the boundary between expert and uninformed observer is very blurry when it comes to technical issues.

      Ignorant "experts" litter the television and radio airwaves, and have a nasty habit of publishing themselves on the internet and in print.

      To a gun owner, the "guns don't kill people, people kill people" argument makes alot of sense. They shoot guns for sport and enjoy shooting targets, clays or animals.

      Likewise, when programmers or computer enthusiasts hear people suggest "banning" some tool, they think something along the lines of "hey, why does this clueless dolt want to ban something that he knows little or nothing about".

      Try understanding other people's points of view.

      --
      Conformity is the jailer of freedom and enemy of growth. -JFK
  19. Could it beeeeee... by Manhigh · · Score: 3, Funny

    This headline apparently written by the Church Lady

    --
    "Open the pod by doors, Hal" > "I'm afraid I can't do that, Dave" sudo "Open the pod bay doors, Hal" > alright
  20. Re:Don't blame the tool... by superpulpsicle · · Score: 2, Interesting

    In open source world people blame the author because the code may not come from a corporate entity but an individual.

  21. Re:What commercial tools? by daveaitel · · Score: 5, Informative
    There are in fact commercial tools that allow you to run exploits and include shellcode. For example:

    This one.

    Dave Aitel
    Immunity, Inc.

  22. What's the difference? by LostCluster · · Score: 3, Insightful

    A hole scanner just finds holes. It's a hacking tool if used by a hacker, a security tool if used by an admin... the only diffence is what the user intends on doing after the hole is discovered.

  23. I'm the one you fear is going to be using this by Anonymous Coward · · Score: 5, Interesting

    I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.

    While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!

    It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.

    I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.

    I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?

    If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.

  24. Re:Don't kid yourselves... by Adriax · · Score: 5, Insightful

    Funny, when this exact argument is being used against kazaa and the like, everyone throws up their arms in protest, claiming it still has legit uses.

    I don't use this or kazaa, no reason, but I sure as hell wouldn't want to see either shot down just because they ave illegal uses along with legal ones (once that happens, how long till computers themselves are heavily restricted, if not banned because someone claims it's "painfully obvious computers are the tools of criminals and terrorists").

    --
    I don't suffer from insanity, I enjoy every minute of it!
  25. Another Good Site by suwain_2 · · Score: 3, Funny

    Another site I visit frequently, Slashdot, covered this a few days back. You can view their coverage on the same article here.

    Oh, wait...

    --
    ________________________________________________
    suwain_2 :: quality slashdot p
  26. How to detect bullshit by Monkelectric · · Score: 3, Interesting

    Anytime anyone says you don't need security information/tools they're making money and you're getting the shaft. The argument "hackers could use this" translates to "our product is insecure and our admins are lazy". Security auditing is necessary in any network you'd like to be reasonably secure.

    --

    Religion is a gateway psychosis. -- Dave Foley

  27. Oh know, will this create a new breed? by DR+SoB · · Score: 3, Insightful

    Is it possible this will create a new breed of mega elite hackers that don't need to know much about the inner workings of computers to hack, they can just run automated tools to do it for them? Maybe we can call them script-kiddies or something? What's that you say, they already have these? OH!

    Of course these tools are good, the script kiddies already have k-rad tools from CodC and what-nots. News flash: many admins already use actually HACKER tools to try and find 'sploits on their pwn machines!

    I remember when I was a youngin and to be classified at all as a hacker you had to have at least _some_ knowledge of machine code. Ahh, those were the days..

    --
    Mod +5 Drunk
  28. Full Disclosure vs. Security Through Obscurity by Glamdrlng · · Score: 5, Insightful
    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.


    I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.

    Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.
  29. For the record... by rmpotter · · Score: 2, Informative

    The original SATAN was introduced by Dan Farmer back in 1995.

    The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.

    --
    Is this sig nificant?
  30. Re:Don't blame the tool... by duffbeer703 · · Score: 2, Insightful
    Blaming the author of this tool because it might be used by hackers is like blaming a gun manufacturer because the gun they make might kill someone.


    The anti-gun lobby is doing just that right now.
    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  31. What is the difference from Nessus? by ultimai · · Score: 2, Interesting

    I haven't really used nessus or metasploit, but what is the difference between the two?

  32. These tools just help hackers by skintigh2 · · Score: 3, Insightful

    Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.

    We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.

  33. Security through wishful thinking. by Chris+Burke · · Score: 4, Insightful

    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

    Cracking tools are and will be widely available. How effective were the courts at stopping the spread of DeCSS? Tools already exist. They will either be written or pirated, and passed around on IRC. You can't stop them from existing. You can use them yourself, for your own benefit.

    Attempting to get rid of widely available free tools that white hats could use to their benefit so that black hats won't have them isn't Security through Obscurity. It's Secruity through Wishful Thinking.

    The only reasonable way to go forward with security is that your machine must be secure in spite of the existence of cracking tools. The best way to do this is to use the tools yourself, not to try to prevent them from existing. "Outlaw cracking tools, and only outlaws will have cracking tools" may be cliche, but poor prose can still be true.

    --

    The enemies of Democracy are
  34. as much as i love reading /. by neoThoth · · Score: 3, Insightful

    The story really was toned to stir the pot. the tool is a great help to those of us in the infosec community whose jobs it is to SECURE networks. Other tools like CANVAS (and a host of others I can't think of right now) do the same thing and most aren't even open source. Any one can run Nessus but the biggest issue with any vuln Scanner is *false positives*. This tool allows verification of vulnerability.
    Rob I want you to apologize to HD Moore and go sit in the corner and think about what you've done.

    (crap there goes my karma)

  35. My first lesson with hacking back in 94 by Billly+Gates · · Score: 2, Interesting

    I remember in highschool back in 94. He was an SGI programer then. I had a friend who had a SCO box( shudder) and hacked the perl script so it could run.

    He released it to help Irix system admins secure their networks. SGI having their heads up there butts, fired him believing security through obscurity was the most effective measure. After all he now made Irix insecure??

    Irix remained the most unsecure Unix for many years untill managment made a recent change.

    Nmap is hell of alot more powerfull now and there are many clones.

    Satan is a relic of old and I just looked at some of the screenshots via a search on google. I thought it was really awesome in 94, but its quite primptive today.