"The tool, called Jikto, can make an unsuspecting Web user’s PC silently crawl and audit public Web sites, and send
the results to a third party, Hoffman said.
But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they
change their mind," he said after his presentation. "We decided to focus on the educational message and show people
the danger."
Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because
that could play into the hands of cybercrooks. "We do not want to release anything that could be used for
malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.
Hoffman said he demonstrated Jikto to raise awareness." – CNET
A few other sites such as Jeremiah’s Blog, and
Rsnakes site
have debated Jikto’s release. As someone who knows Billy (I used to work with Billy at SPI Dynamics) I know that this
is purely to raise awareness of some of the things that JavaScript can be used for and was in no way with bad intentions.
Creating POC code to prove a point is very much different than handing over a ‘ready to go’ fully featured toolkit.
I’m actually in agreement with the decision that was made and am happy that this talk was presented and look forward
to future talks by him.
On a related note before I get any emails in regards to my XUL spoofed browser demo, while this was released
it is crippled allowing the point to be proven without handing over script kiddie friendly code.
Article Link: http://news.com.com/JavaScript+bug+hunting+tool+demonstrated/2100-1002_3-6170223.html
