Hi,

Actually professional have points in time that things do align. It doesn't have anything to do with personal philosophical ideals. Security is something that everyone should be aware of and how to implement proper methods.

I personally think the standards should be high enough to achieve. We've been speaking generally since the audience is varied and targets are newbies within this forum. Yes, there's no way for anyone to know every possible variant or type of intrusion. But we should attempt to test or protect for potential intrusion. Basic security methodology should be utilized so as to harden the system generally. Services that are potential entrances or even violation by a known attack will be obvious points. But again there are methods to address those areas and good habits by a sysop, admin or whatever should be strong enough to prevent elementary issues. Extended circumstances should then be addressed by that same person or by contracted professional(s) when necessary.

BT was devised from a bunch of crackers that had interests in warring competitions and the distro originally evolved from those interests. I'm sure some maturity has been a driving force but the tools are still a valid piece that when used professionally will aid someone. My toolbox is ever evolving so to add something that will enhance by placing tools within reach will be a positive. As for other tools that common users should be made aware of then that's one arena we will most certainly find contestable. On one hand you say BT is not for everyone because of potential risks and now you're placing the statement that other tools should be brought to the forefront. Name them! You've peaked my curiosity and wonder what is in the background that you feel should be brought forward for a common user.

Awareness has always been the best defense but the common user has a lot of falsehood or plain old stupidity/ignorance about security thus not fully understanding the issue(s). That I believe is one area that we will agree on. Potential risks to the common users are going to be more for personal information that is provided to industries that should be secure. These are the points that attackers or crackers will attempt to gain from not directly to a single system within a SOHO. Sure there are times when a SOHO system will become a point to crack in order to get into the industrial side but that to can be prevented by good security habits.

Hangdog42, please don't take my statements as a argument but as a aid or enhanced discussion so as to help people who will read this as good informational presentations for the newbie forum.

Well put and the global focus on system security is the right one in my opinion.


Actually,it isn't necessarily the tools in Backtrack that I don't like. What I have a problem with is their approach to security. As an exhibit, I'll present the organization of the background reading links found in the Security Forum here

In my opinion, that is the kind of breadth that proper security requires. Penetration testing covers only a tiny portion of those references, and I doubt very strongly that is an oversight or misunderstanding. What I've learned from watching the goings-on in the Security forum is that Security is a process made up of many layers, and ignoring any layer results in a less secure system. That isn't necessarily a bad thing, provided that the people making the decisions understand the risks involved. Certainly on my own server I haven't implemented everything that could be implemented. But that is a result of an educated choice (well, at least semi-educated) and I think I have a reasonable grasp of the risks I'm running.

So in essence, I think Backtrack is presenting a highly skewed version of proper security by only focusing on how to break into things when in fact penetration testing is only a small portion of what security should entail. And yes, I do believe that a lot of people get mislead by Backtrack because of it's "l33t" aura. That unfortunately means that a lot of people aren't learning that cracking into machines isn't particularly useful.

No worries, this is a good discussion from all sides as far as I'm concerned. And likewise, I'm not trying to be argumentative, but rather make sure the topic gets a good airing. One of the downsides of most Linux distros is that they enable people to do relatively "professional" things like run a web server but don't get deep enough into how to secure those against the wilds of the Internet.

Your views are valid but I don't necessarily agree with them all, though I can understand where you are coming from.

In the end the perception of the distro varies from user to user as almost all distros do. One of the most common replies when asking, "What distro should I use?" is, "Well that depends on what you're wanting to do.". If there are people that find the wide array of tools convenient and up to par with what they are wanting from that distro then it'd be a good distro for them. To argue whether or not a TRUE white-hat security tester or anyone for that matter, really needs an over-kill like Backtrack is once again, a matter of opinion.

You really do bring up a lot of good points though and honestly have kind of swayed me a bit in regards to the motives but regardless of motives, usage, and general audience, I don't think a well developed distribution should be criticized for that. Instead, the makers, users, and stereotypes associated should be :P

I stumbled across this thread by way of a google search "backtrack wireless adapter vmware" because I have the exact same question as the original poster, but you would think I searched "Ethical and technical discussion about the relevance of backtrack". I thought it was generally bad forum manners to derail the topic of thread. I guess bumping a 2 year old thread just to add my two cents isn't a big deal then.