You are comparing a $1000 commercial product to open source Ruby code. Metasploit is sponsored by Rapid7, which does in fact have a product that is competitive with your offering.
Do we need to get into a detailed discussion of why I think the plug for your scanner is inappropriate for this thread? Or can we just let it suffice to say that HN isn't a great place to promote products on random threads?
I don't know when HN became a place where hackers felt afraid of plugging their products - given that we are all hackers trying to build/sell products - where appropriate.
I don't get the big fuss.
If it was a story about Bingo Cards, and patio11 plugged bcc.com I am pretty sure you wouldn't be all worked up about this.
Let's just calm it down a notch and not try to be kingmaker's here.
If the community found the plug abhorrent, they would downvote it. He would get the point.
Although, to be quite honest, now you have given his product even more promotion and visibility so it's a net positive for him - not sure it's the result you wanted in the first place.
And given that I would likely do something similar, kudos to him for every extra dollar he has earned from your rant.
I'm not comparing, I'm telling the difference. Just like Netsparker will not do port scanning, possibly Metasploit will not do full web app stuff. You can talk with someone from Rapid7 and they'll tell you the same thing. And for the record I love Metasploit, it's a fantastic tool.
We have a good relationship with Rapid7 guys, they even has a module to import Netsparker results into Metasploit and we keep getting synced with them in new updates.
> Or can we just let it suffice to say that HN isn't a great place to promote products on random threads?
Personally I love seeing other HNers to send their relative products, projects, startups, commercial ideas, job ads in HN threads, I don't think there is anything wrong with that. You might think otherwise, that's why there is one upvote and one downvote button.
Metasploit isn't web application penetration tool. W3af, the other open source security tool Rapid7 sponsors, is. Meanwhile, Rapid7's commercial offering, Nexpose, also crawls Ajax applications and, if this flaw is as simple as people seem to think it is, would likely have found it... as would OWASP WebScarab or Burp (a tool that costs a fraction of what your tool does and belongs in the back pocket of every web developer).
I'm responding harshly because I do not agree with your logic (to wit: any thread involving security is a great place to plug your scanner) and because I found your comparison of Netsparker to Metasploit disingenuous: Metasploit simply isn't Rapid7's web app offering.
Disclaimer: I use Metasploit on a more or less daily basis, as well as Burp Suite Pro and more recently have been evaluating NetSparker Community Edition as our Canvas D2 subscription is up for renewal, and we've been considering switching to NetSparker. I've met Ferruh once at DC4420[1] and he seemed like a sound guy to have a beer with.
Ferruh was simply responding to a direct question about how it was different. Sure, he's the author but a) he was asked. b) he's probably best suited.
Ferruh isn't running a matasano scale operation, he's doing it on his own, peldi style.
It's not inappropriate for him to discuss his product, nor to answer questions on it - this is a startup community after all. At what point did you become the HN comment police?
Do we need to get into a detailed discussion of why I think the plug for your scanner is inappropriate for this thread? Or can we just let it suffice to say that HN isn't a great place to promote products on random threads?