[_RPL5_]

Who buys this stuff? Other things in the shop:

> Screen Crab: This covert inline screen grabber sits between HDMI devices - like a computer and monitor, or console and television - to quietly capture screenshots. Perfect for sysadmins, pentesters and anyone wanting to record what's on a screen.

> Shark Jack: This portable network attack tool is a pentesters best friend optimized for social engineering engagements and opportunistic wired network auditing. Out-of-the-box it's armed with an ultra fast nmap payload, providing quick and easy network reconnaissance.

> Key Croc: The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant.

They say "pentesters." What prevents a malicious actor from buying and using these tools?

I think I am missing something here.

[lrvick]

I buy this stuff, but I run a security consulting company.

I also make my own stuff like this from time to time. A lot of it is pretty easy. I could teach a class of people to make a badusb device from scratch, code and all, in an hour. Any USB capable microcontroller will do. Should we ban those too?

Bad actors have had more sophisticated hardware at their disposal for decades.

Just look at teardowns of credit card skimmers.

Hak5 is not helping those people. They are helping white hats catch up and helping spread awareness how easy this stuff is.

While your mind is adjusting to this, I encourage you to put "crown vic fleet keys" in Amazon and buy yourself keys to the police cars in your area.

The global state of security is a joke and we need people helping onboard whitehats to help teach people to do better.

[WaitWaitWha]

Yes, penetration testers, red teams, blue teams, auditors, and a myriad of other security conscious roles take advantage of these tools.

> What prevents a malicious actor from buying and using these tools?

Nothing.

What prevents any actor from buying <insert any items here> and using it maliciously? A significantly deeper question. I rather promote this.

[seaman1921]

exactly, what prevents anyone from doing anything, really? haha!

[zarq]

"motivation" is usually the answer. Motivation can be (gaining) money, power, politics, etc.

[WaitWaitWha]

Which begs the question, how do we raise future generations to have motivation which decreases malfeasance?

I do not think there is a simple answer, but there is one out there...

[lrvick]

I for one teach kids to hack and lockpick every chance I get.

When you can pick every lock around you it changes your worldview forever.

Kids should not avoid something wrong because they are physically stopped by a lock.

They should avoid it because it is wrong.

Better they learn these skills from someone that will teach the ethics to go with them.

[pwillia7]

I think this is a big problem for liberalism in the future. When we have 20 billion people and technology is more powerful and ubiquitous, big consequences could happen from individual bad actors remotely. Even if only the tiniest fraction of people wanted to do bad things, there would still be quite a few of them and they'll have more access as everything is more networked together.

[teknico]

There will never be 10 billion people alive at the same time, let alone 20.

[pwillia7]

What's the certainty there? Could you expand?

[_RPL5_]

Well, for one, the US government prevents private actors from buying all sorts of things. I am surprised that selling tools which potentially "enable cyber crime" hasn't triggered some overzealous regulator in DC yet. It seems like low-hanging fruit.

[epinephrinios]

What prevents a criminal buying a chef's knife and committing a crime with it?

I am surprised that selling tools which potentially "enable murder" hasn't triggered some overzealous regulator in DC yet. It seems like low-hanging fruit. /s

Pro-authoritarian sentiment keeps going strong. Why is it so normalized these days?

[chii]

while i do agree with the general sentiment, the technology has moved faster than the societal legislative process.

If you asked a reasonable person off the streets why bioweapons (like anthrax) should not be easily purchasable, they would completely agree and hence the legislature has made such things illegal.

But if you asked that same reasonable person off the street about miniature computers and electronic devices, they would probably not imagine that such uses are possible, nor would they deem it dangerous. They might even consider it useful! So legislation on such things cannot be set by societal expectations.

[agitator]

If anything, by making devices like this accessible to the public, the end result is safer devices for everyone.

Without products like this you have criminals, a small amount of enthusiasts/researchers, and government sponsored actors exploiting vulnerabilities. If you put it out in the open, much like open source software, everyone can do it, but there's more pressure to fix blatant vulnerabilities.

[jtsiskin]

As a simple example, the “trust this computer?” prompt standard on most phones. If devices like this were only known by states governments, this feature likely would have taken longer to become standard

[AYBABTME]

Isn't that the same argument people use in support of gun ownership?

[ViViDboarder]

No. I’ve never once seen someone say that making guns more available means that the general public gets better bullet proof technology.

It, for example, hasn’t resulted in accessible bulletproof vehicles for all.

In technology, vulnerabilities found push companies to develop and deploy protections for them.

[mszcz]

I don’t think that it is. As I understand it the argument in favor of guns is that they would supposedly protect you against someone else with a gun.

I can’t protect myself from someone with a RubberDucky with a RubberDucky of my own. However, knowing that these tools exist and how easy they are to acquire and the ability to try one out for yourself might actually make you think twice about plugging that random cable or USB drive into your box.

[hashkb]

The guns you can buy don't compare in any way to the guns the bad actors have. Apples and oranges.

[Zpalmtree]

What are you talking about?

[ShakataGaNai]

Hak5 isn't breaking any new grounds with their technology. They just make it a little easier to get/use and a little sleeker. Can someone abuse this? Sure. People misuse all sorts of handy tools all the time. Knives? Staplers? 2x4s? Hammers? All have been used to kill people - doesn't make them inherently bad.

The difference is most people know about those other things and don't know about the things that hak5 sells. They don't even know it's possible, let alone it exists and is usable.

Recently the lock picking lawyer got a USB drive lock in the mail and while he picked the lock, he refused the plug in the drive. People mocked him saying that he was silly for not simply plugging in the drive into a VM or special purpose computer. The next time around he brought out a USB Killer. https://www.youtube.com/watch?v=ctByXhte_-A ex: https://usbkill.com/ .

If you don't know a random cable or USB drive can be dangerous, you're likely to be the person who picks one up off the ground and uses it. Or worse, see one sitting unattended in a coffee shop or airport and decide you need a quick boost.

What's being sold is educational just as it is dangerous. Terrible people are going to find a way to do terrible things. The least you can do is educate yourself to make it harder for them.

[SavantIdiot]

I have a number of hak5 products to see what they fuss is about and to learn what kinds of attacks to worry about being used on me! In some cases they are not really usable anymore, like the WiFiPineapple, which is largely useless due to WPA2 being ubiquitous (yes, you can hack WPA2 but I don't feel like paying for a ton of AWS lamda functions to get on my neighbors wifi). They teach you about how things work from an entirely different point of view. BashBunny is my favorite and it still works, but who plugs in random USB sticks these days? I've never used it but I learned a lot more about USB!

[sophacles]

The same people that buy lockpicks buy these:

* enthusiasts

* professional security people (blue team, pentesters)

* criminals

in the last 2 cases, they buy them because it's cheaper than making it themself.

[burnished]

I think the only thing you are missing is that most people most of the time don't want to hurt or bother others and that much of society functioning relies on this.

Cause nothing stopping you from buying any of that, at what looks like very reasonable rates.

[hashkb]

This is false. Most people will take advantage of any situation where they detect a low enough chance of consequences, regardleas of who is hurt. We act good because we don't want to be caught, embarrassed, or convicted and condemned.

It's not that most people want to hurt others. It's just that most people care only for themselves. Source: reality.

[burnished]

Hey, we agree that most people don't want to hurt anyone! I think we're much closer to agreeing than you suspect.

Now, we could quibble about whether people are more like to help you or victimize you and we could both be right. Or, we could observe that I'm correct about society functioning mostly because people don't mess with other people very much, you could chalk it up to friction and the lack of interest in others, and I will chalk it up to general back-ground good will.

[hashkb]

I don't agree that society functions well, and I see people mess with each other almost constantly. Your reality seems nice.

[jtsiskin]

I don’t think that is true. The ‘median’ person has empathy and care, and would not hurt someone even if they could be totally undetected - but there is a large skew, which makes this true for the ‘mean’ person and thus ‘reality’, if that makes any sense.

As an example: a bowl of candy on Halloween with a “take 2 pieces only please” sign on it. Most people will only take 2. A few people will grab a handful. And one person will come along and take the whole bowl.

[hashkb]

This is false, too. Those bowls were always empty by the time I got to them.

Edit: ever been at a long line for the bathroom at a big concert or sporting event? Or driven on the roads? There's always someone cheating, often making it more dangerous or painful to be that median person.

[chii]

if you look at the iterated version of your example, you will see that everyone will tend towards being the guy who grabs the whole bowl, or risk missing out on the candy.

Therefore, the parent poster's argument is actually true, even if the median person believes themselves to be empathetic.

[hashkb]

Yes. I'm not saying we choose to be bad. I'm saying we sort of have to, and billionaires get the choice, and still choose to generally do more damage than than any of us will ever have the opportunity to attempt.

[stevetodd]

I’m sorry for the world you live in. It’s not that way for everyone everywhere. I hope you can find your way to some place better.

[hashkb]

Me too! Thanks.

[ryanSrich]

I run a company that builds security awareness training software. While we don’t do any hands on hardcore stuff that this hardware would be used for, I still have an interest in keeping up with it, understanding it, and working that understanding into our training curriculums.

[rout39574]

I think you are missing nothing.

[fortran77]

Judging from the people who I see at DEFCON who follow the "Hak5" people, it's mostly kids and not professionals.