Comments on: Tools of Trade

By: nobody

nobody — Mon, 27 Jul 2009 16:16:16 +0000

I would like to confront the “holiman” by expressing an opinion opposite to the common understanding that there is “no magic”. There is magic and it is very real. Magic is when you find something first! By the time you understand things a.k.a. “magic” more “magic” is being created, by magicians of course not by you. :) Same applies to so called tools. I am really enjoying myself when I read about so called “security” exploits. The real security exploits are never made public. System compromises that are worth mentioning are never made public also. What is published on the Internet is a waste of time. And ouch :) Google is not your friend.

By: pdp

pdp — Mon, 13 Apr 2009 08:21:12 +0000

I think that we need to concentrate more on the practical side of things…

By: holiman

holiman — Sun, 12 Apr 2009 19:08:10 +0000

You are *so* right. And not just for pen-testing, but all aspects of software development. Developers (or, more commonly, managers) stare themselves blind at tools and acronyms, which is why CV:s usually are mostly long lists of tools.

I try to live by the motto: “There is no magic”. If I find that a particular tool contains “magic”, I need to dispel that magic by finding out how it works – and by understanding it I will be able to do it myself if that particular tool should not work.

By: mindcorrosive

mindcorrosive — Fri, 10 Apr 2009 21:43:06 +0000

Very true. I can’t remember the times I’ve struggled with a seemingly simple (but boring and tedious) computing operation that I would have done in, say, 10 minutes manually, but instead spending several times more fooling around with more sophisticated tools. One easy thing that works for me in this cases — when you’re going to experiment with an allegedly “time-saving” tool, specify a time limit for playing with it to get the right result. I’d probably set it at something like 30-70% of the available time, just to have a margin for still doing it the ‘stupid’ way.