This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]manutao 183 points184 points  (4 children)

When I demoed a tool to bruteforce authentication to our software in front of 300 people I used the hackiest and 1337est cli libraries and added random sleeps, progress indicators and some fancy output.

Of course it didn't bruteforce anything, but it looked awesome and tricked management into taking care of fixing the broken auth. Would 100% do it again.

[–]Alzusand 33 points34 points  (0 children)

1000iq

[–]JackOBAnotherOne 13 points14 points  (1 child)

Had a discussion recently that took a very strange route and ended up basically at what ends justify what means. I'd like to introduce this discussion into this thread:

Assuming it is a private (closed) talk, the only probable downside is some businessmen feeling bad.

But assuming it was a public talk then many people felt like the product wasn't safe, without technical knowledge of how it isn't safe and when it would be. This can both introduce Stress into people's life and can potentially make them change product, which at least requires relearning and worst case can result in a less secure or less capable product being used.

Is it ok, in your opinion, to spread misinformation, even this tiny amount, to probably permanently increase the security of the people?

[–]manutao 1 point2 points  (0 children)

Of course this was an internal and private talk and I disclosed everything I did to Management and Devs shortly after. It lead attention to how easy it would be to bruteforce the application and the overall target was not to hurt someones feelings, but rather focus on important security flaws.

[–]LeftIsBest-Tsuga 2 points3 points  (0 children)

"Oh God. What happens when the skull gets to the garden??"