Security and legality

I have been watching videos on youtube about metasploit and I was wondering, is it illegal to own exploits? Yet I see people on YouTube use them for like penetration testing. Also, what are the rules on discussion of hacking on this board? I can't find the rules in the sticky.

Attached: start_metasploit.png (842x577, 51K)

It is not illegal to do pen testing on a device owned by you. As soon as you start trying to hack into other peoples property you are committing a felony.

So you can own exploits as long as you don't hack anyone with them?

>is it illegal to own exploits?
So, I'm no lawyer, but I am a security researcher. The answer is a resounding no (at least in the US). Exploits are pretty essential to penetration testing and red teaming, which are in turn pretty dang important for maintaining the security of a network. If you can't apply regular testing using the same tools that a real hacker is going to use against you, how in the hell can you claim to have a secure system? You would have no proof! All you could say is, "well, we're pretty sure we haven't been compromised yet."

Here's what is illegal though: any unauthorized access to a computer system which is engaged in international or interstate commerce or communication. So pretty much everything connected to the Internet, and anything that's owned by any company doing business with anyone outside of the state. In fact, just don't touch anyone's computers at all without their permission. If your boss asks you to pen-test their machines, you can do so. If you want to pen-test your own machine, you can do so as well.

As for the rules on discussion of hacking... global rules 1 and 4 apply. If you want to discuss ethical hacking, there do not appear to be any rules against it. If you want to discuss committing crimes, do it somewhere else.

No one NEEDS an exploit user. Only trained government employees should have access to exploits.

Take a guess

see, i'm not even sure that the government supports this idea. CIA and NSA sponsor cybersec competitions all the time that have a red team component.

>CIA and NSA sponsor cybersec competitions all the time that have a red team component.
Oh cool, I didn't know this.

not illegal?

You should only download metasploit if you have permission from CNN

Attached: duallaptop.jpg (800x450, 91K)

First, removing exploits from the hands of law abiding citizens doesn't remove them from the hands of criminals.

Second, and following, how are law abiding citizens supposed to defend themselves if you take away their exploits!?

Just last month a concealed exploiter stopped a school mass hacking. Just pretend you took away his exploits. What would you be telling the children's parents?

not necessarily. It depends where you got them. If you downloaded them from a site that encourages you to use them in an unlawful way it may bring you under suspicion of intent to commit a crime with them

the news network CNN? Why. I hate CNN.

wtf is a concealed exploiter? you sound like one of those peasants obsessed with guns

you sound like your IQ resides somewhere between 85 and 100

kek'd

Attached: 1503293474782.png (172x172, 51K)

cyberlaws are so vague. it can prob be used against u if they want to go after u. it would make good evidence in a case.

Attached: 46RZP5.jpg (1242x1610, 322K)

> own exploits
If by this you mean 'have security software on a device you're in possession of' then generally yes. Security tools aren't regulated like weapons [spoiler] yet [/spoiler]

oh, okay. With that question settled, are we allowed to talk about exploits on Jow Forums or Jow Forums?

As long as you aren't breaking a US law, promoting a "raid"/hacking of another site then sure.

its a very thin line, at the very least its unethical to divulge bugs and such without notifying the owner first, could also be argued to be promotion of illegal activity such as say divulging material on bomb making and such, like i think it falls on the same spectrum of malicious intent as shouting "FIRE" on a crowded theater

also sometimes the action that lead to finding/prooving the bug itself can be prosecuted too, specially on online services

like even in security publications/forums, etc, the vectors are normally talked about indirectly, refraining from giving too much info, just implying it broadly enough kinda like adults talk about sensitive stuff around kids, and ive seen this shit in papers about virus theoreticals

i think its in Underground that they mention an incident where the whole history of a mail-list of security researchers containing hundreds of detailed bug information was hacked

still don't those tools just provide a framework for general testing? i think OP is refering to specific holes

also im just talking out my ass, don't wanna trigger anyone's autism, my interest in this shit is just anthropological, have no clue if what i said is plain dumb, ive gathered it mostly from publications talking about it from law/historic viewpoints which is what interests me about this stuff, not technical

Afaik in Germany it's actually illegal to have hackerman tools, at least that's what opensuse wiki said

what do u mean by hacerman tools? kali toolset?

I speak to pentesters and other sec researchers in germany quite regularly

so no

Found it
en.opensuse.org/openSUSE:Build_Service_application_blacklist
>In Germany, it is a felony to distribute hacker tools that only have malicious purpose (Hacker Paragraph, ยง202c StGB). Some allowance is given to "dual purpose" tools that also allow administrative work, but SUSE Linux GmbH's legal department reserves the right to reject and restrict a particular submission to the Open Build Service. As the OBS is hosted in Germany and responsibly hosted by SUSE as part ofMicro Focus International, it is usually covered by German, UK and US laws. The list includes, but is not limited to:
>aircrack, aircrack-ng
>metasploit