How can we trust the tools?

Question

There is a lot of tools out there to do a lot of things with, like sniffing, scanning, and even backdoors. However, I have a really hard time trusting these tools. When I install them at home and target my computers, how can I trust that the tools I'm using do not harm me?

Example 1 - Metasploit, Meterpreter especially: I use Metasploit. With a trusted exploit, that gives me a Meterpreter connection. How can I trust, that Meterpreter in fact does what it claims to do, and does not open backdoors here and there? I consider this tool an industry standard for its purpose in a sense, but still, do you trust it?
Example 2 - Google: Ratproxy is a product of Google, and that sounds trustworthy, right? It's also open source. But it's just Google that develops it? It would probably take me a year to read and understand all the code. How can this be trusted? Do you trust it?
Example 3 - Online tools: Right now, I use online tools to do some things, like base64 encoding. I then need to trust the tool with JavaScript. Its fairly easy to look at the JavaScript code, but it would be less time consuming to just write a Base64 decoder and encoder tool with GUI. I will do this, but until then, I just have to trust this tools. How do you trust similar tools? Do you?
Example 4 - Burp Suite: Burp Suite really seems to be the #1 "HTTP-proxy and more" tool to use, but it's proprietary and not open source. It's written in Java, but probably properly obfuscated, so that we can't know exactly what it does. Trustworthy? "Of course, use it! All my friends use it..."!?
Example 5 - Bundles: There are some security tool bundles out there. Specifically, I would like to discuss Kali/Backtrack. It comes with a lot of tools. Do you trust their pick of tools? Do you trust the company itself? Of course, with that many tools, they can't know everything about every tool, but they are smart guys, I guess, so the question is, if they added just the tools they trust themselves, or they just added everything that their users would like to see in the bundle/distribution?

Please discuss around those examples and maybe come up your own examples. What tools should we trust? Why? What is your definition of trust? Mine is, that I would run it on my own desktop computer (not in VM).

EDIT: Also, how can we distinguish between tools that were created with the following philosophies:

"I'll make this tool because I hate script kiddies, so I will harm them and use it for my own purposes.", and
"I'll make this tool to make my life as a security researcher and pen-tester easier, and if it's good, I'll share it with the community."

"Please discuss" questions are not on-topic for this site. This site is for receiving specific answers to specific questions. Discussion is explicitly and intentionally off-topic. — tylerl, Aug 02 '13 at 20:27
An answer can include a discussion, specially in the security field... dont think like a robot. My question is big and include several sub questions. But the question is: How can we trust the tools? (tools is the tools we use while working with security) This question is just as valid as "Is Google spying on all of us?" — David from earth, Aug 02 '13 at 20:49
I find this question really important since its vital to don't let bad guys into the system you are testing. — David from earth, Aug 02 '13 at 20:56
You don't know everyone out here on this website, you don't know the answer they are posting to your question is right or wrong, but you go by the reputation of the person as well as the belief that if a person post a wrong answer, other people are monitoring and looking at the discussion as well and will detect it. May be you don't have the capacity or knowledge to go through each line of code of these tools yourself, but you are not the only one using those tools and people around the world are constantly looking at and improving the source code of these tools. — void_in, Aug 02 '13 at 23:22
@Davidfromearth How the question is worded and what sort of response is requested is a critical aspect of whether it stays open. The question "how do I know if I can trust this tool" is actually **on topic**, but "here's a list of several tools, please discuss the general topic of trust" is too broad. I think if you pare the question down a bit and simplify it, it will be kept open. Try to limit it to one single question with one single answer. You have about 7 or 8 questions in here; that's too many. You don't want to solicit an essay, you want a precise answer. Slim it down and re-open it. — tylerl, Aug 03 '13 at 01:02
@Davidfromearth FWIW, [Is Google spying on all of us](http://security.stackexchange.com/q/24493/2264) was a terrible question in most of the admins' opinions. See [the chat logs here](http://chat.stackexchange.com/transcript/message/7020075#7020075) — tylerl, Aug 03 '13 at 01:12
Okey, next time ill think more about how I ask my questions. Maybe divide it into several ones and instead link them together for interested readers. I’m new to this kind of forum when it comes to posting but I have read a lot so I will do my best to make it useful for others. — David from earth, Aug 03 '13 at 01:54

score 5 · Answer 1 · edited Mar 17 '17 at 10:46

You cannot trust any software... but you have to start somewhere. Usually, you use reputation; see this answer for an explanatory analogy on the subject.

And then there can be trust transfers: that's what occurs with operating system. You select an OS (possibly, it comes pre-installed with your computer, or you buy an installation DVD, or whatever). Then, this OS will install upgrade tools which can install other packages, provided that a digital signature on them is verified. This is typical of Linux system: you install a base Ubuntu or RedHat or Debian system, from an installation medium, and then you have access to dozens of gigabytes of extra packages, which you can obtain through a network. The package installation system checks that the package is "genuine" by virtue of being signed by an allowed maintainer. Basically, you have transferred your trust into the hands of the people who maintain the OS distribution, i.e. who prepare the software packages and decide which are trustworthy enough.

What is amazing is that this system tends to work. Incidents are rare. One high-profile case dates from 2008: an intruder hijacked some systems at RedHat and could sign some fake OpenSSH packages with backdoors included.

Security tools like metasploit tend to stretch trust to its limits, because these tools are, by definition, written by people who are involved in the security trade, and thus should know how to plant backdoors silently. There is always a lingering suspicion that the people who know most about writing exploits to hijack other systems would also be the people most prone to, well, write exploits to hijack other systems, yours in particular. Rational ways to cope with that include:

Running all tools within some layers of virtual machines to try to isolate them and monitor them and detect fool play.
Trusting the tools blindly and walk along life in a state of blissful gullibility.
Switching careers, leaving IT security altogether, and breeding goats instead.

+1 for goat breeding as an alternative to a security career – John Deters Aug 02 '13 at 20:54 — John Deters, Aug 02 '13 at 20:54

score 4 · Accepted Answer · answered Aug 02 '13 at 19:23

The simple answer is you can't truly guarantee anything unless you review the code, the compiler, the build, the OS of the system you are running it on, the design and implementation of the processor, the power being provided to your computer, etc, etc.

Security isn't about ensuring things 100%, it's about risk management. You make educated decisions on how far to trust something based on how you decide to measure risk. Do you trust the CA providing the certificate to the site you are downloading, if so, do you trust the company they issued it to, do you trust what they put up, do you trust other people who have used it without issue? You have to make a judgement call as to what you think the risk is.

Then, after you know what you think the risk is, you decide on measures to mitigate the risk. You can install it in a VM with a VLAN isolating it from your network or even put it on air gapped, dedicated, "dirty" hardware that remains physically separated from your protected systems. Or, if you are more trusting, you can simply virus scan it, read some reviews and move on. It's really all up to you as to how much risk is acceptable and how much effort you want to put in to mitigating that risk.

Practically speaking, read reviews, ask about tools on popular security sites, find out what people's experiences are and if it seems to be reputable. If so, it's probably ok, but it's still ultimately your judgement of acceptable risk.

How can we trust the tools?

2 Answers2