LogicX

I read Billy’s Post concerning the release of Jikto code, and want to share my thoughts.

Just to make sure facts stay straight –

I was at Shmoocon, and watched Billy Hoffman’s presentation about Jikto. At one point during the presentation he was trying to show how the code worked, and switched to a window displaying the URL it was including. As this part of the demonstration showed how it can be incorporated into sites such as Google Translate, jikto needed to be accessible to Google Translate. I was sitting near the front, caught the URL, and downloaded it.

I had put the code up on a site of mine for only a short while before Billy called me and kindly asked me to take it down, and explained the media frenzy surrounding the code, its purpose, and SPI Dynamic’s release of it. I meant no harm to Billy or SPI, and immediately took it down. My interest in the code was purely from the perspective of how it worked. I’m an Information Security Consultant with Security Management Partners in Boston, MA and imagined being able to use his proof of concept for Phishing exercises we create for clients.

We create fake websites, and email employees to test their compliance with policies regarding clicking links or attachments in emails. Obviously being able to include code which could perform reconnaissance of their Internal network before we even step on site would be an excellent demonstration to clients as to the severity of employees accessing unknown sites. Even more extreme is the fact that this can be included via XSS attacks, making it come from a real site such as cnn.com.

My understanding of Jikto is that it will not take down the Internet, or other alarmists reactions; but just that its a interesting Proof of Concept demonstrating an interesting way to enumerate information about systems while dealing with the constraints of the security model.

Regarding RSnake’s comment, I believe Billy did actually go to great lengths to protect the code, and still perform his demonstration. A testament to this is the fact that all I actually got was client-side code — I did not get the GUI control component, viewer, etc. So the piece released was incomplete, and not actually usable in its current form. I’ve not executed the code, and unless others have coded their own control/viewer component, its not that big of a deal that a small piece of it got out.

Update: IDG articles are released such as InfoWorld, ZDNet blogged about it, CNet Security Blog, I posted on VulnerableMinds.