<div dir="ltr">On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
So as you can see below, I'll be at RSA asking Andrew Jaquith why on
earth he thinks penetration testing tools are evil. To be honest, I
have no idea. Does that also imply penetration testing is evil, or
is he saying that penetration testing tools make people lazy and
therefor you get better penetration tests without them, in which
case I'll try to get him to write his future papers without a
keyboard or something.<br></div></blockquote><div><br></div><div></div></div><div><br></div>Well, I can't say why he thinks they are evil, but I often thought that their NAME is. Often, when I hear people say "penetration testing tools" they *automatically* assume that "running that tool == penetration test." After all, "X tool" in many minds means "tools that does X." Penetration tools, last time I checked, don't DO penetration testing. Humans do. You can insert all the jokes about stupid people and all, but this sentiment is very, very contagious.<div>
<div><br></div><div>Therefore I often avoided naming them in my work and instead used some kludge like "exploitation tools", or (please don't laugh) "tools [somewhat] helpful during penetration testing."<br clear="all">
<div><br></div>-- <br>Dr. Anton Chuvakin<br>Site: <a href="http://www.chuvakin.org" target="_blank">http://www.chuvakin.org</a><br>Twitter: @anton_chuvakin<br>Work: <a href="http://www.linkedin.com/in/chuvakin" target="_blank">http://www.linkedin.com/in/chuvakin</a>
</div></div></div>