On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote: > Manoj Srivastava <srivasta@debian.org> writes: > > > This is to forestall those of you who seem to be be arguing > > that the debconf6 KSP crack was a red team attack -- here is how that > > attack differed from a legitimate red team effort (I have been a > > member of red teams before, and have lead a number of red team > > attacks in my time). > > I haven't heard anyone make such a claim. Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a "red team attack". Nobody used that term explicitly probably because they are unfamiliar with it. I know what it means, I've done my share of pen-testing to companies. I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a "red team" test) and that Martin *did* abuse our [0] trust [1] I find this akin to people finding and exploiting web app vulnerabilities (without being payed for by the company and without their approval). To "show" that webapps are vulnerable. Regards Javier [0] The assistants to the KSP [1] By not providing a *proper* ID as required by the KSP organisers (and all KSPs protocols I've read ). Notice that he himself has described his ID as not being *proper* and that it was the whole point of his excercise.
Attachment:
signature.asc
Description: Digital signature