| ▲ | tremon 5 days ago |
| > The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs. What's the rationale for allowing the development of offensive tooling on github? Is this a free-speech thing, or are these repositories relevant for scientific research in some way? |
|
| ▲ | StrauXX 5 days ago | parent | next [-] |
| They are heavily used in penetrationtests and red teaming engagements. Banning such tools from the public just mystifies attackers ways to defenders, while not in any way hindering serious malicious actors. We had that discussion back in the 90s and early 2000s. |
| |
| ▲ | freedomben 5 days ago | parent [-] | | Agreed. Plus it's not always a clear line between offensive and legitimate usage. For many years nmap was banned on most corporate networks, but it's an invaluable tool for legitimate use too, despite being useful for offensive cases as well | | |
| ▲ | wkat4242 4 days ago | parent | next [-] | | It's mainly beside nmap detection is a feature of most IDS so it's bound to raise some red flags. Same with even doing packet sniffing. It can be detected when using wireshark because it does reverse DNS lookups for each ip it sees in its default configuration. I had legit reasons for it at work so I always mentioned it to the network guys before ding stuff like this. We also had a firewalled lab network. We did get some pushback once when some scans leaked out to the office network. But it was their fault for having the firewall open. | |
| ▲ | randall 5 days ago | parent | prev | next [-] | | one time i ran nmap against my dev box at facebook. i was definitely worried someone was going to give me a stern talking to. | | |
| ▲ | varenc 5 days ago | parent | next [-] | | I ran 'neoprint.php' on myself at Facebook in 2007 and immediately got a stern email about it... It was some script that collected info for responding to law enforcement requests. But after chastising me, the email said "I was gratified that you ran it on yourself". (as opposed to snooping on someone else!) It was just a summer internship and FB was like 'only' 80 engineers back then. But they still took it seriously. | | |
| ▲ | Thorrez 4 days ago | parent [-] | | I think that's a little different. It sounds like neoprint.php is an internal Facebook tool for looking up data on Facebook users. So improper usage of it is a privacy problem for users. It's something misbehaving employees might run against celbrities, exes, etc. (e.g. https://www.gawkerarchives.com/5637234/gcreep-google-enginee... ) Otoh nmap isn't a privacy problem for users of Facebook (or any other tech company). | | |
| ▲ | varenc 4 days ago | parent [-] | | Yea totally agree. Mainly just wanted to shoehorn in my own story about stern emails at FB! Also I think running nmap on your own development machine is totally legitimate. Lots of reasons you might want to do it. |
|
| |
| ▲ | SoftTalker 5 days ago | parent | prev [-] | | I use nmap routinely at work to see what’s on a subnet, has anything new appeared, or where it should not be. | | |
| ▲ | bravetraveler 5 days ago | parent [-] | | +1. If I can't run nap or netcat, or have to justify it each time, I can't do my job. Better off elsewhere. I've departed early at least twice over this. Draconian IT serves nobody. Been doing this long enough I deliberately poke any new employer; see what's in store. Nobody cares, though. EDR appliances sell without careful administration. The industry will outlive us all. |
|
| |
| ▲ | hsbauauvhabzb 5 days ago | parent | prev [-] | | While that may be true, it’s less true for things like cobalt strike. I’m not saying that banning tooling would be a good thing, but it’s a bad argument to compare Nmap to remote access tools. | | |
| ▲ | freedomben 5 days ago | parent | next [-] | | I don't disagree, but GP is asking about all offensive tools, not just Cobalt strike. IMHO a platform like GitHub should not be picking and choosing which projects are offensive enough to remove. Yes, there are some tools that are pretty clearly more offensive than others, but creating a policy would not be clear-cut | |
| ▲ | wkat4242 4 days ago | parent | prev [-] | | Cobalt strike is just an automated script kiddie really. It's a way for red teamers to catch low hanging fruit. And because of that, there's not so much low hanging fruit anyway. |
|
|
|
|
| ▲ | laveur 5 days ago | parent | prev | next [-] |
| I think they get heavily used by security researchers, and other people that do regular Penetration Testing. |
|
| ▲ | awesome_dude 5 days ago | parent | prev | next [-] |
| Isn't Github supposed to be blocking sanctioned countries, like Iran, and North Korea? https://docs.github.com/en/site-policy/other-site-policies/g... |
| |
| ▲ | throwaway2037 5 days ago | parent | next [-] | | About Iran & GitHub: https://docs.github.com/en/site-policy/other-site-policies/g... > GitHub now has a license from OFAC to provide cloud services to developers located or otherwise resident in Iran. This includes all public and private services for individuals and organizations, both free and paid.
> GitHub cloud services, both free and paid, are also generally available to developers located in Cuba.
| |
| ▲ | overfeed 5 days ago | parent | prev [-] | | Do you have any reason to suspect GitHub isn't blocking those countries? How long do you think an offensive-security sponsor/passport-issuing nation might take to get around GitHub IP-blocks? | | |
| ▲ | dmoy 5 days ago | parent [-] | | Right exactly. The only way IP blocks work is if there's no vulnerable machines to take over anywhere. That is - it basically doesn't work for any motivated attacker. You could hypothetically make it work, but it would mean an extremely different Internet and device landscape than exists today. (And even then I doubt it stops a nation-state level attacker, they can always use old fashioned espionage to get someone in meat space and get around any technical barrier) |
|
|
|
| ▲ | traverseda 5 days ago | parent | prev | next [-] |
| What alternative do you suggest? |
| |
| ▲ | immibis 5 days ago | parent [-] | | [flagged] | | |
| ▲ | rpdillon 5 days ago | parent | next [-] | | Wait, installing nmap on your laptop from a Linux distribution's repositories is a crime in Germany? | | |
| ▲ | ranger_danger 5 days ago | parent | next [-] | | No, OP loves to claim almost daily how nearly everything is illegal in Germany, and never provides any sources or court cases when asked for proof, just "google it yourself" or "the German criminal code". | |
| ▲ | to11mtm 5 days ago | parent | prev [-] | | Not really, so long as you don't use it for anything 'bad'. i.e. if you're just running against your local network, who's gonna report it? | | |
| ▲ | dwattttt 5 days ago | parent [-] | | Surely then it's the 'use', not the 'possession' that's a criminal offence? Or is it still a criminal offence to possess it, but you're fine as long as no one finds out? Because that doesn't stop it being a criminal offence. | | |
| ▲ | to11mtm 5 days ago | parent | next [-] | | My basic understanding is that a 'dual use' tool is moreso based on intent; using the same analogy as when this came up on HN over a decade ago [0], a good kitchen knife can be at least as dangerous as a lot of explicitly 'banned' knives but because it has a non-illegal use it doesn't fall into the same category as, say, a DDOS tool. And AFAIK there hasn't (yet) been a case where NMAP has gotten someone in Germany in trouble with the law for possessing or using within their local subnet. [0] - https://news.ycombinator.com/item?id=3797151 | | |
| ▲ | rpdillon 5 days ago | parent [-] | | This might be akin to lockpicks in the United States. Not illegal in and of themselves, but if you are possessing them with intent, it's a different matter. | | |
| ▲ | ranger_danger 3 days ago | parent | next [-] | | I think it's worth mentioning that this varies by state... while most allow you to possess lockpicking tools freely, some states do have "possession with intent" rules you need to be careful of. | |
| ▲ | immibis 5 days ago | parent | prev [-] | | And the police can always fabricate intent. |
|
| |
| ▲ | immibis 5 days ago | parent | prev [-] | | It's "whoever prepares for the commission of a [hacking] offence by acquiring computer programs for the commission of the offence" and it's been interpreted that downloading nmap can be preparing for an offence, therefore punishable. Giving copies to others (e.g. running a Debian mirror) is also likely illegal, but I doubt anyone's been charged for that yet. https://www.gesetze-im-internet.de/englisch_stgb/englisch_st... |
|
|
| |
| ▲ | kace91 5 days ago | parent | prev | next [-] | | >Not sure about US law, but in Germany, creating or possessing a hacking tool (including things like nmap) is a criminal offence. Surely that must be wrong, are security certs not a thing in Germany? | | |
| ▲ | MaKey 5 days ago | parent [-] | | Unfortunately that's true: https://www.gesetze-im-internet.de/englisch_stgb/englisch_st... | | |
| ▲ | kace91 5 days ago | parent | next [-] | | Ugh. It does look like the wording gives some room though? As in, it requires “preparing the commission of an offense”. Does acquiring the tool for other uses like learning or professional training help? Or even better, shouldn’t lack of proof that the user had malicious intent be enough? | | |
| ▲ | immibis 5 days ago | parent [-] | | Police can always fabricate intent (this is not specific to Germany - they can just say you told them you were going to hack someone, or your actions or body language obviously showed it) and then in practice it's up to you to show an alternative interpretation of facts. If you're studying computer security, that might get you off - but who better than a computer security student to do actual hacking? |
| |
| ▲ | ranger_danger 5 days ago | parent | prev [-] | | Hard disagree, I think there is very important context missing here, notably: > 2. computer programs for the purpose of the commission of such an offence Big huge emphasis on "for the purpose of", meaning there must be clear intent to cause harm or break the law, especially for a criminal case. This assumes the purpose of the program is not inherently for hacking/criminal purposes, which I do not believe would be hard to argue that nmap is not designed as a "hacking tool". Germany appears to have a similar standard to US criminal cases where you are presumed innocent until proven guilty "beyond a reasonable doubt": https://law.stackexchange.com/questions/40966/innocent-until... |
|
| |
| ▲ | kulahan 5 days ago | parent | prev | next [-] | | In the US you’re allowed to have pretty much whatever code you want on your computer, obviously excepting binary representations of illegal photo/video content. How do they even enforce it? Or is it just an extra law to throw at someone already convicted of something? | |
| ▲ | esseph 5 days ago | parent | prev [-] | | That is fucking insane. Basically Linux itself would be classified as a "hacking tool". | | |
| ▲ | wkat4242 4 days ago | parent [-] | | Well we are heading in that direction anyway. With software platforms getting more locked down. Having a rooted phone now is already enough to get banned from bank apps because you're not in the comfortable fluffy death grip of Google. |
|
|
|
|
| ▲ | sieabahlpark 4 days ago | parent | prev [-] |
| [dead] |
