everyone who is not a kiddie knows rsnake is a joke, just like anyone else involved in his *.ackers group. If rsnake was to post to places like this instead of lamer 'hacker'/'security' magazines then he would be ridiculed off the list like pdp architect was. Instead I believe rsnake knows hes a kiddie so he sticks to places with non-technical people and does not involve himself with people who actually know what they are talking about.
<br><br>I picked on Adam Munter mostly because his lame intern decided to spout up on the list only to end up being a kiddie, and also Adam brought it upon himself by putting any worth into what secreview says and replying to their review.
<br><br><br><div class="gmail_quote">On Jan 2, 2008 12:02 AM, Andre Gironda <<a href="mailto:andreg@gmail.com">andreg@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Jan 1, 2008 9:51 PM, reepex <<a href="mailto:reepex@gmail.com">reepex@gmail.com</a>> wrote:<br>> ok so they are nothing alike because ptp/hts actually teach you stuff while<br>> "UPT" was for jokes... so your post was stupid
<br><br></div>The joke's on you since you don't have the context.<br><div class="Ih2E3d"><br>> I am not a part of secreview but I realize following email threads is very<br>> complicated for you.<br><br></div>
It's not complicated. I simply just don't care about who you are as<br>it relates to the thread. You appear to be attacking the<br>person/people I'm defending, while at the same time defending the<br>secreview post.
<br><div class="Ih2E3d"><br>> So you list 5 tools they use then mention they modify a javascript<br>> library... So basically they use automated tools and are former web<br>> developers ... sound pretty hardcore
<br><br></div>Javascript is more than just a language for web developers, especially<br>when utilized in the Hailstorm SmartAttack library, which isn't a<br>Javascript library. These are completely different concepts. It
<br>should also be noted that both Burp Suite and Hailstorm ARC can be<br>used in manual and hybrid modes... with step-modes and form-trainers.<br>They can modify their traversals and have tons of extra customization<br>on top of what other offerings provide... and can customize the
<br>underlying "data-driven" attacks.<br><br>Certainly you've read some of Adam Muntner's comments on, say,<br><a href="http://ha.ckers.org" target="_blank">ha.ckers.org</a> and other places?<br><br>Allow me to pick on someone in the industry for a second: RSnake.
<br><br>RSnake has an advertisement up on his website that asks, "Which web<br>application scanner can hack it?" "Check the Oct 15 post for study<br>results:"<br><a href="http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/" target="_blank">
http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/</a><br><br>Most idiots will only read what RSnake / Larry Suto have written, and<br>will completely miss the comments by Adam Muntner. Adam not only
<br>eloquently puts down the testing techniques by Larry Suto, but also<br>makes mention about proper customization of tools and testing outside<br>of the commercial scanners.<br><br>Effectively, Adam Muntner is one of the only people that does
<br>understand this problem that you specifically says that he does not,<br>and that the secreview challenge seems to care about most of all other<br>points.<br><br>Where was reepex, where was secreview when RSnake and Larry Suto
<br>blundered our industry into submission? Why pick on a hero like Adam<br>Muntner instead? What are you getting out of it?<br><br>Worse - RSnake hasn't been called out on this yet - but he has good<br>reason to promote Larry's paper. In fact, it may even be a monetary
<br>reason. In an article for INSECURE Magazine, they interview RSnake<br>(page 30):<br><a href="http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf" target="_blank">http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf
</a><br><br>Question; What web application scanners do you use?<br><br>RSnake: [...] my favorite tools in my arsenal (including the manual<br>ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,<br>NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
<br>half dozen Firefox plugins like Webdeveloper, JSView, NoScript,<br>Greasemonkey etc... and the entire suite of unix utils out there, like<br>wget, telnet, ncftp, etc.<br><br>Notice the only commercial tool listed in NTOSpider. Coincidence?
<br><br>Apparently, too much admiration of a single web application security<br>scanning vendor can be a bad thing. Larry Suto has only ever worked<br>with Eric Caso at NTObjectives.<br><br>Adam Muntner has been a customer of several CWE-Compatible and
<br>aspiring companies out there. He has a balanced view of both the<br>commercial tools and the open-source world, as well as building his<br>own tools from scratch as the need may be.<br><div class="Ih2E3d"><br>> You must be a cissp because you take yourself and the internet very
<br>> seriously. I am pretty sure no one cares about your opinion either.<br><br></div>Wrong again; as always.<br><br>Cheers,<br><font color="#888888">Andre<br></font></blockquote></div><br>