I think *discovering* security holes is clearly benefitial but *inventing* new tools that make it easier to exploit those holes seem overzealous to me. Yes, I understand these tools can be used to protect but what about tools that use questionable means? Jikto, for example, uses unsuspecting website visitors' browser to scan other websites for holes. Would any businesses use such tools to protect their sites? If not, who does it benefit? Is it security researchers' job to push the envelope of black hat's state of art?
"This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said. "Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results." - Billy Hoffman, creator of Jikto, a researcher at SPI Dynamics
I believe that even the loftiest principles should be bounded by context. While I don't think security research should only be done reactively, I think active research community should provide better guidelines to prevent people going overboard.
I have no clue if this tool will actually do a lot of damage to the community and people complaining about their sites being attacked. For once in my life, i would'nt want to see this tool being released. Too much damaged, especially if it gets into the hands of script kiddies.
