back to article Free download empowers black hat hackers

The folks at Immunity, a company specializing in tools for penetration testing, have released a free application advertised to streamline the development of software exploits. Immunity Debugger, as the app is called, will cut exploit development time by half, according to this product announcement. The debugger is designed with …

COMMENTS

This topic is closed for new posts.
  1. Daniel

    I love those tools!

    I generally write my own, but even with access to source code, I love testing these tools out on my products I write.

    Of course, I'm no fool, I know no tool will ever compare to a real hacker who knows what he's doing and keeps his stuff to himself (like when I was a kid).

  2. Brian Miller

    Testing tools! Great!

    I'm currently writing some network software, and I'm really glad to get my hands on these. Thanks, Dan!

  3. David Eddleman

    C'mon

    "This tool in the wrong hands is going to create more zero days, more exploits and more code that ultimately puts people at risk, and I know that's not the intent."

    Well, yes it will. Think about the flip side. A knife is a tool. It's primary use is cutting. It can be used to prepare food to feed hungry people or it can be used to cut someone's throat. Tools are subjective. The principle that should be focused on is limiting *who* has access to these tools, not *what* they do.

  4. Anonymous Coward
    Anonymous Coward

    That 50% counts in all directions

    If the black hats take half as long and the white hats take half as long, then the difference between the two times is also half as long. But this is only a big deal for the black hats - the window of opportunity for the black hat exploits is half as long.

    Obviously a bit simplistic, but still broadly true - lets look forward to more "black hat" tools that shrink this window of opportunity even more, eh!

  5. Anonymous Coward
    Anonymous Coward

    Not all tools have positive applications

    "Well, yes it will. Think about the flip side. A knife is a tool. It's primary use is cutting. It can be used to prepare food to feed hungry people or it can be used to cut someone's throat."

    That's a fairly lame argument. A knife is a very general tool, it has lots of applications from dressmaking to food preparation, but not all tools are like that. A nuclear bomb for example isn't general, it exists solely to kill millions of people, there's no other reason to have one. That's why there are so many people who object to nuclear bombs.

    This software only exists to speed up the process of finding exploits, which is why one of the people quoted in the article objects to its existence.

    Of course security researchers could use it to keep up with the "black hats", but that's the same sort of arms race excuse that was trotted out during the cold war to justify ever more vast arsenals of nuclear weapons. "We've got to have what they have".

    The easier it is to find exploits, the more work developers will have to do to plug all the gaps in their security, and ultimately not all of them will do that. It could be that the overall effect of this tool is to increase computer crime, not decrease it.

  6. Anonymous Coward
    Anonymous Coward

    Dumb comment.

    "The principle that should be focused on is limiting *who* has access to these tools, not *what* they do."

    That principle has worked so well in stopping illegal drug use and keeping guns out of the hands of criminals. Great idea! /snicker

  7. Stuart Van Onselen

    re: That 50% counts in all directions

    True, it works in both directions, but there is an asymetry here. The ultimate goal of a White Hat will be to produce a patch, as opposed to the Black Hat who wants to write an exploit.

    Does this tool aid patch-writing as much as it does exploit writing? I wouldn't know, but my gut feel not. It is usually a lot easier to break something than to fix it.

  8. amanfromMars Silver badge

    Virtual Acorns for IntelAIgently Designed Oaks ......4 Fit 2 Post Armada Purposes.

    "The principle that should be focused on is limiting *who* has access to these tools, not *what* they do."

    Actually with its transparent and greater use will it be simpler for more "good guys" to police/mentor and monitor even, malcontents/idiots.

    With such collegiate Peer Pressure "review" will a Virtual Edutainment Model evolve to Present with the Sharing of ITs Opinions, a different Greater Intelligence to build upon and which may be considered Artificial in that it is an Amalgam of Human Intelligences Programming out Conflict Information/Facts for a Universal/Global Lead Intelligence.

    In a bygone Age, would that have been a Right Royal shindig? Have the Times changed?

    Knock, knock, Charles, is there anybody in there?

  9. William Donelson

    How are weapons used?

    This tool is a kind of weapon.

    Mankind does not have a good record with mass-distribution of weapons.

    Just look at Africa:

    1. The use of machine guns make soceity impossible.

    2. It's impossible for a teenager to have a machine gun and not use it.

    Releasing tools like this one is just going to make things worse, on balance.

  10. Sir Runcible Spoon

    re:Knife

    "It can be used to prepare food to feed hungry people or it can be used to cut someone's throat. "

    Or both.....

  11. Owen

    Tools

    While it's true that this tool wont help with the actual writing of a patch, it will help test what vulnerabilities are there quicker. If its used during the development stage, for example, it will speed up the finding of some holes prerelease, and give a longer time for these to be fixed. Then by the time it hits the market, in theory, more exploits will have been plugged. The reality is most companies will use the extra time given to them by discovering exploits faster to push the product earlier

  12. Michael

    @Anon

    "That's a fairly lame argument. A knife is a very general tool, it has lots of applications from dressmaking to food preparation, but not all tools are like that. A nuclear bomb for example isn't general, it exists solely to kill millions of people, there's no other reason to have one. That's why there are so many people who object to nuclear bombs."

    This is also a fairly lame argument, as it assumes that killing millions of people is inherently "bad". Suppose the millions of people are all carriers of a nasty strain of a virus. If these people are allowed to live, they will likely wipe out all human life. In this instance, it could be argued that killing those millions of people, perhaps with a nuclear bomb, is actually a "good" thing.

    Furthermore, though nuclear weapons were designed to kill, there are plenty of reasons to have them. Many scholars believe the only reason the Western world and the USSR didn't get into an all out war, was that they knew they'd both be annihilated. It's the concept of Mutually Assured Destruction. If the West didn't have nukes, while the USSR did, we'd all be speaking Russian right now. Or we'd just be dead.

    "This software only exists to speed up the process of finding exploits, which is why one of the people quoted in the article objects to its existence."

    Perhaps by running said tool on a product before its release, to find exploits sooner. You see, security experts will be able to find the exploits sooner as well, thereby giving the opportunity to plug security holes sooner. It's a zero sum game. All it does is narrow the timetable for both sides.

    "Of course security researchers could use it to keep up with the "black hats", but that's the same sort of arms race excuse that was trotted out during the cold war to justify ever more vast arsenals of nuclear weapons. "We've got to have what they have".

    And again, it's that very same principle that may very well have kept us all alive.

    "The easier it is to find exploits, the more work developers will have to do to plug all the gaps in their security, and ultimately not all of them will do that."

    So take issue with the vendor, not the tool maker. If Black & Decker makes a new tool that will make building houses more efficient, thereby reducing cost, but your homebuilder chooses not to use it. Do you blame Black & Decker, or do you blame your homebuilder?

    Ahh, the glory of indefinite terms like "could", "might" and "may".

    *cue infomercial music*

    You could make over $6,000 a week working part-time from home!!

    You could also make diddly.

    *cue the price is right loser music*

    If you say merely that "It COULD be that the overall effect of this tool is to increase computer crime, not decrease it" (emphasis mine), then you are simultaneously acknowledging that it COULD be that the overall effect of this tool is to decrease computer crime.

  13. Thorin

    RE: Dumb Comment

    -----quote-----

    "The principle that should be focused on is limiting *who* has access to these tools, not *what* they do."

    That principle has worked so well in stopping illegal drug use and keeping guns out of the hands of criminals. Great idea! /snicker

    -----end quote-----

    So you honestly believe anything that can be used to a negitive end should be illegal?

    There goes your dinner fork, your beer, your Tylenol, etc.

  14. Anonymous Coward
    Anonymous Coward

    Not true

    "A nuclear bomb for example isn't general, it exists solely to kill millions of people, there's no other reason to have one"

    That's just not true, there's a ton of reasons to have nukes other than killing people.

    1. Destroy large space rocks or knock them off course

    2. Diplomatic negotiations

    3. Defense against aliens

  15. Thorin

    Re: How are weapons used?

    -----quote-----This tool is a kind of weapon.

    Mankind does not have a good record with mass-distribution of weapons.

    Just look at Africa:

    1. The use of machine guns make soceity impossible.

    2. It's impossible for a teenager to have a machine gun and not use it.

    Releasing tools like this one is just going to make things worse, on balance.

    -----end quote-----

    Your points don't make sense.

    #1 How do machine guns make society impossible?

    (Just so we're clear here http://dictionary.reference.com/browse/society :

    1. an organized group of persons associated together for religious, benevolent, cultural, scientific, political, patriotic, or other purposes.

    2. a body of individuals living as members of a community; community. )

    Last time I checked Africa was a VERY large "organized group of persons associated together for" various purposes.

    #2 Why is it impossible for a teen to have a machine gun and not use it. It's a choice, assuming they have a brain and a heart beat they can make the right choice or the wrong choice. The existance of the machine gun and their ownership of it does not force them one way or another.

    Someone else's actions towards the person or people may facilitate a certain response but that is not the "fault" of the object in question.

    As the saying goes "Guns don't kill people, people kill people" (whether with guns, bare hands, knives, dinner forks, drowning, etc.)

  16. Anonymous Coward
    Anonymous Coward

    Fud, fud, glorious fud...

    ... there's nothing quite like it for overheating the blood.

    @Dan Goodin:

    " The debugger is designed with malware writers in mind, "

    I don't see anything in the release announcement that claims that was who was in mind when it was designed, so unless you have some kind of psychic insight into the design process, this claim is unsupported fear-mongering speculation, or FUD as it's otherwise known.

    @"Not all tools have positive applications"

    " This software only exists to speed up the process of finding exploits, "

    No, that's a fallacy of the excluded middle. It exists for numerous reasons, *among which* speeding up the process of finding (actually, you mean ''developing"; you /find/ a bug, then /develop/ an exploit that exploits the bug) exploits is only one. Among the many others are: speeding up the process of finding *bugs*, speeding up the process of diagnosing them to see if they are potentially exploitable, speeding up the process of developing an exploit to prove that they are in fact *actually* exploitable, speeding up the process of developing a bugfix, speeding up the testing of that bugfix, and speeding up the verification that the fix does indeed protect against attempts to exploit the bug.

    This is a DEBUGGER, for crying out loud, like GDB or WinDBG: to claim that it is only useful for one single purpose is just a total lie.

    @ Stuart Van Onselen:

    " Does this tool aid patch-writing as much as it does exploit writing? I wouldn't know "

    If you don't know, then STFU. Your 'gut feeling' is worthless and uninformed by anything except your pre-conceived prejudices and your ignorance of the facts; why on earth do you suppose that your feeling would have even the tiniest chance of being *correct* when you based it on nothing? This is science, not superstition: you don't make 'guesses' and rely on 'gut-feelings' about whether two and two makes five or what's the base-10 logarithm of 397, so why do you think that this kind of random guesswork is a valid way to measure the improvement a tool brings to the performance of these engineering tasks?

    @ amanfromMars:

    Keep up the good work :-) Your comment makes ten times more sense than most of the paranoia FUD and gratuitously hysterical over-reaction in this comment page!

  17. I.M.Fantom

    All knives need to be registered.

    and then only criminals will have knives.

    "Well, yes it will. Think about the flip side. A knife is a tool. It's primary use is cutting. It can be used to prepare food to feed hungry people or it can be used to cut someone's throat."

  18. Morely Dotes

    Prohibition doesn't work. Remember?

    "A nuclear bomb for example isn't general, it exists solely to kill millions of people, there's no other reason to have one. That's why there are so many people who object to nuclear bombs."

    Certainly the original intent was to kill (thousands, or even hundreds of thousands, but not millions - not with the original 20 KT nukes). However, there *are* peaceful uses for nuclear bombs - so far as I know, they've never been used for peaceful purposes, but it is possible to level a mountain with a subterranean nuke, for example.

    Thus we see that the *use* of any tool is dependent on the *intent* of the wielder.

    And as for "hacking" tools - I need them to find the holes in my network, and hopefully fix them, before a black hat cracker finds them. It is no more possible to keep black hats from getting these tools, than it is to keep Americans from getting alcohol, and the very attempt to do so will certainly spawn a burgeoning underground economy - and probably it will seriously inconvenience the people who have a legitimate need for the tool, thus ensuring that those who are willing to flout the law will benefit most from whatever you try to keep from them.

  19. Anonymous Coward
    Anonymous Coward

    l33t hax0r5 un1t3!

    sh*t man, i got my nmap , nessus, metasploit and latest w4r3z from full-disclosure.

    am i a hacker? no. i use these tools to check my environment and to prove to management the 'real deal' - as they think its just FUD. check out the time i got onto the HR database via an open HP jetdirect port. so, this tool is useful to check that you've really locked the door - and if you havent left any windows open

  20. Jon Tocker

    @William Donelson

    For crying out loud, just because you refuse to accept responsibility for your own actions and have to blame everything/everyone else for what you do, do not assume the rest of the world works that way.

    It may surprise you to learn that a knife did not force, convince, coerce or other wise lead Jack the Ripper into carving up a number of sex workers in Whitechapel.

    Submachineguns did not suddenly materialise in Africa and force people to use them and they do not force people of any age to use them.

    Nor does the existence of a debugging tool that can find and exploit weaknesses force someone to then release those exploits on an unsuspecting public.

    If you believe that inanimate objects can **make people do things** you are in dire need of medication. Seriously. As in: get help.

    Tools do not talk to people, tools do not control people. They are harmless and inert until such time as a person picks them up.

    That's when the **person's** potential for help or harm is manifested by the use to which the **person** puts the tool.

    At home, I have a large number of tools which I use - knives (of varying size and sharpness (while sitting at my desk at work I have 3 knives on my person and a retractable box knife in my desk drawer - as they have yet to make a single tool that has all the various attributes I desire), hammers, "hacking tools" and so on. Over the years I handled a large number of firearms - including pistols and submachineguns - and have have owned a number of rifles - which I have even used to euthanase ailing animals, dispose of pests and hunt food.

    Not one of those tools have ever convinced or coerced me to use them to harm another person because I am mentally stable and I know I am in charge of my own actions. I am also an ethical person and have no need or desire to stab, bash or shoot anyone nor any need or desire to hack into anyone else's computer system for malicious purposes.

    Perhaps if you realise that the existence of strife in Africa (and other places) prompted some people to choose to settle the issue with violence and they then decided to get hold of machineguns as an appropriate tool to acheive their ends, rather than putting the blame on the existence of the firearm, you might have a more realistic outlook on life.

    Likewise, in the case of the debugging/exploit making tool, yopu need to realise there are people out there who choose to harm other people by hacking their systems and they will seek out and use this and other tools to achieve that end. Fortunately, there are also those out there who choose to use such tools to torture-test systems to find weaknesses in order to plug them before something critical is compromised.

    It's personal choice, not the existence of the tool, that matters.

  21. Anonymous Coward
    Anonymous Coward

    Re: It is usually a lot easier to break something than to fix it.

    By that logic, the greatest benefit in tool support is for the more complex task - the fixing rather than the breaking.

    Besides, from what I read, this tool supports *discovering* vulnerabilities, not either exploiting or patching them. This is symmetric - it is the same for both black hats and white hats.

    There are plenty of general development tools available already that make exploit, patch or any other kind of software development easier - IDEs, virtualised environments for testing, etc etc etc. It would make more sense to ban VMWare from releasing virtualisation software with debugger support than to ban this tool. And IDA Pro - if that's not a black tool, well - oh, actually, the white hats love that too, don't they. Even though they *should* already have a key advantage in the exploit/patch development race - the source code.

  22. Pascal Monett Silver badge

    "Giving people a tool that makes the creation of malicious code easier is just not a good thing"

    I'd object to that based on the fact that such tools already exist anyway. Making a good one that can be used by whitehats and security-minded people is just balancing things out.

    Now lets not get carried away in comparisons (why on earth are we mentioning nukes and MAD ?). The subject is on securing code, not saving human lives. As far as I can see, a better tool for securing code is a good thing. Anything can be used for bad, so if good can be done better, it's a positive thing.

  23. Anonymous Coward
    Anonymous Coward

    Here we go again

    Stop drinking the Cool-Aid. Not all tools and techniques are meant for everyone. Any tool put into the wrong hands can be misused. Vulnerabilities can and are detected without writing an exploit. Professional software developers shouldn't be wasting their time writing exploits. They should be encouraged to write code based upon good sound security principles in the first place. It is these types of stunts and antics that impede progress and real technical advancement. This again is another monumental waste of time and energy.

This topic is closed for new posts.

Other stories you might like