[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Red team attacks vs. cracking

On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote:
> Manoj Srivastava <srivasta@debian.org> writes:
> >         This is to forestall those of you who seem to be be arguing
> >  that the debconf6 KSP crack was a red team attack -- here is how that
> >  attack differed from a legitimate red team effort (I have been a
> >  member of red teams before, and have lead a number of red team
> >  attacks in my time).
> I haven't heard anyone make such a claim.

Claiming that what Martin did was good since he was showing something useful
for our community is equivalent to saying it was a "red team attack". Nobody
used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]

I find this akin to people finding and exploiting web app vulnerabilities
(without being payed for by the company and without their approval). 
To "show" that webapps are vulnerable.



[0] The assistants to the KSP

[1] By not providing  a *proper* ID as required by the KSP organisers (and
all KSPs protocols I've read ). Notice that he himself has described his ID
as not being *proper* and that it was the whole point of his excercise.

Attachment: signature.asc
Description: Digital signature

Reply to: