James Hay | OSCP | OSWE | CRTO

Hello, my friend. Stay a while and listen.

4 minute read

OPEN SOURCE/OFFENSIVE SECURITY TOOLING aka “for the greater good I wish to harm your ability to make a living!”

anger

Despite living on the stupid platform, I refuse to pay for twitter. No, it’s not happening. So I have been boxed into single thought tweets for my most recent argument, and in a sign that I somehow have won, have received no follow up replies. So instead I will detail my thoughts here and subject all you fictional readers to them.

1

After coming across this tweet morally grandstanding how open source tooling (I do NOT give one tiny iota if this is not the “OS” you people meant, you do not get to split hairs, fuck you, either demonize everything or nothing) I foolishly spent my lunch time arguing with two brick walls who want to start criminalising people who release GitHub repos, instead of actually updating my own repo with some agents.

The crux of it boils down to some people are upset that items they can freely select from the internet, can aid criminals. Do you know what else can aid criminals that they can obtain with extremely little cost (infact less than an internet connection?)

A hammer. I am sick to death of everyone saying “OH BUT AN OSS C2 IS LIKE GIVING EVERYONE A GUN!!!” No, its a TOOL, not a weapon. Please for the love of god use your noodle and compare redline stealer to psexec. “oh but people use psexec for all sorts of hacking!” Yeah and people use hammers to break peoples faces, we going to demonize hammers? Or just the people who use them in criminal ways?

Lets hammer (HUE) this point a little more. Cobalt Strike is used in attacks documented on DFIR report CONSTANTLY. a cracked, leaked version of the product. Why do I not hear the same thing from these people about how cobalt should be struck down from the ends of the earth? That Fortra should be held criminally liable? Is it because they think it is difficult to get a hold of? I am in 4 separate telegram chats that have zero entry requirements that have copies of it; if you want to find it, its out there and easily accessible. but no, the bad actors in this thought experiment (that is actually a real scenario) are those who cracked and leaked the product (Vlad and Ivan), not the creator (Mudge/Fortra).

So to extrapolate, those at fault for cobalt strike being used in real world attacks, are those who undertook criminal action? Shock and fucking horror! Yet when it comes to open source, half of cyber looks at it likes its open sores; with disdain and a desire to actively harm those who create.

“But thats taking it a bit far isnt it? People aren’t really saying that should happen!” They are, here is a follow up tweet to supplement the original. These people actively wish to remove livelihoods in order to clamp down on second and third order effects that may or may not result from some boogeyman in a 4th world shithole.

2

“Because somebody, somewhere, may possibly and potentially do something unkind to someone, I (they) wish to limit your career, cause irreparable harm to your ability to perform research, and require you to give up your skillset in order to drive a taxi or wrestle a crocodile because think of the children!” - completely deranged, braindead monkeys with the biggest hate boner for offensive who would rather see you unable to feed your family than actually apply the necessary effort to secure their environments.

It always comes down to this, people who wish you to stop doing a thing always come for your livelihood. “but others dont need to drop OSS to make a name for themselves!” How the fuck do you think Bobby Cooke (the genesis of this argument) even got noticed by IBMs xforce in the first place? By being a really friendly guy? Or was it perhaps his insane drops re bokuloader and his other cobalt work? hmmmm I have a feeling it was the second one!! I dont know about you, but I think companies like to see what value you can produce, rather than what you SAY you can do! just a sneaky suspicion!

“oh so you support hospitals getting randomwared?” the smug little avatar on twitter xeets, thinking he has caught you in a logical trap, not realising it is nothing but an appeal to emotion. The trolley problem does not work on me, because I will make it clear every time I will put the train on both tracks if it means my family stays safe. I’ve seen the stars and forks my Follina POC got; I know it is in bad peoples arsenals. Do you honestly think that thought gave Gaston Glock a single moments unrest?

pic rel, how i sleep knowing I have provided for my family using the means and hows I posess. sleep

You know if you squint, theres half a political vein running in here. But thats not for today, it is not pertinent. The point is I am very sick of people placing blame on my trade and craft for the evils in the world. People ransomware things? That sucks, but your insistence that I should no longer feed my family as reparations for this crime I did not actually commit makes you just as evil as the one who ransomwared a hospital.

You May Also Enjoy

Agency & Gumption

6 minute read

Everyone on the internet is a fucking retard except me. And it has bothered me so much the last few months as I try and fit my mental models to the incorrect...

Building LFS in a VM

4 minute read

Recently, while on an airplane without wifi, I decided the only thing worth doing to pass the time was to disassociate and see what ideas floated into me. On...

Shogun 2 Trainer

4 minute read

This is a short series of notes I am taking out of a OneNote I sometimes misplace and simply putting them into the blog so it appears I am still producing co...