At Shmoocon, Billy Hoffman of SPI Dynamics is supposed to release information about a tool he's been working on called Jikto. And a lot of stink has come up about whether the tool is good or evil. And here's my post to let you know that I'm going to sit comfortably on the fence.
If the good guys were always ahead of the bad guys, then this would be evil, but it also wouldn't matter. The thing is, because the bad guys have more time resources than the good guys, they have other advantages (you have to make your app work exactly as expected under all circumstances; they have to make it behave abnormally under one circumstance) the good guys always do things in response to what the bad guys are doing.
See, Firefox and IE didn't add their anti-phishing technology, and then the bad guys started phishing. We didn't start doing source code analysis, and then the attackers responded by trying to make SQL injection. We didn't decide to use single-use tokens on form submits, and then the bad guys responded by finding XSRF attacks. All of these things happened in the reverse order. I wish it weren't true, but it is. The bad guys work in an environment where:
- They have all the time in the world because their attacks don't have a project deadline
- They're rewarded for creativity, or if they're not recognized by their organization for creativity, they'll do really creative stuff on their own and make all the money personally for it
- They have all the targets in the world, not just one
- They have lots and lots and lots of people because (strangely) they don't have to pay them. (Black markets are really interesting one - they get more resources because they don't have to be paid - there's not an economical limit to the number of people they can add).