On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote: > Manoj Srivastava <firstname.lastname@example.org> writes: > > > This is to forestall those of you who seem to be be arguing > > that the debconf6 KSP crack was a red team attack -- here is how that > > attack differed from a legitimate red team effort (I have been a > > member of red teams before, and have lead a number of red team > > attacks in my time). > > I haven't heard anyone make such a claim. Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a "red team attack". Nobody used that term explicitly probably because they are unfamiliar with it. I know what it means, I've done my share of pen-testing to companies. I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a "red team" test) and that Martin *did* abuse our  trust  I find this akin to people finding and exploiting web app vulnerabilities (without being payed for by the company and without their approval). To "show" that webapps are vulnerable. Regards Javier  The assistants to the KSP  By not providing a *proper* ID as required by the KSP organisers (and all KSPs protocols I've read ). Notice that he himself has described his ID as not being *proper* and that it was the whole point of his excercise.
Description: Digital signature