Re: Red team attacks vs. cracking

To: debian-devel@lists.debian.org
Subject: Re: Red team attacks vs. cracking
From: Thomas Bushnell BSG <tb@becket.net>
Date: Tue, 30 May 2006 10:32:15 -0700
Message-id: <[🔎] u1hd5dv2zc0.fsf@kempis.becket.net>
In-reply-to: <[🔎] 20060530172008.GA8099@javifsp.no-ip.org> (Javier Fernández-Sanguino Peña's message of "Tue, 30 May 2006 19:20:08 +0200")
References: <[🔎] 877j43k1k4.fsf@glaurung.internal.golden-gryphon.com> <[🔎] u1hejyb4gv0.fsf@kempis.becket.net> <[🔎] 20060530172008.GA8099@javifsp.no-ip.org>

Javier Fernández-Sanguino Peña <jfs@computer.org> writes:

> Claiming that what Martin did was good since he was showing
> something useful for our community is equivalent to saying it was a
> "red team attack". Nobody used that term explicitly probably because
> they are unfamiliar with it. I know what it means, I've done my
> share of pen-testing to companies.

Perhaps some people have argued that it was good what he did; I have
not.  I have constrained my comments to arguing only that what he did
was not, so far as we know, either fraudulent or forgery.

What he did may have beneficial consequences, if it encourages people
to be more careful in the future, but certainly I would agree that
this does not justify it.

I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said.  Martin certainly should follow the protocols
established, but I would only count "established" as being what is
actually written down by the KSP organizers, and not just some kind of
general unspoken expectation.  (Where can I read about those written
protocols, if there are any?)

> I find this akin to people finding and exploiting web app vulnerabilities
> (without being payed for by the company and without their approval). 
> To "show" that webapps are vulnerable.

Indeed, if he did violate the written rules of the KSP, then it is
much like this.  (That still doesn't make it forgery, fraud, or
dishonesty, however.)

At the same time, we should *also* recognize that anyone who signed on
the basis of the Transnational Republic ID (unless they have more
information about that organization than the rest of us do) has *also*
broken the rules of the KSP.

Moreover, the harm caused by people who did not properly check the ID
is *worse* than the harm caused by not following the written KSP rules
(if indeed he didn't follow them).  So I ask, ONE MORE TIME, HOPING
FOR AN ANSWER:

Manoj, did you sign the key on the basis of the Transnational Republic
ID?

Javier, did you?

Thomas

Reply to:

Follow-Ups:
- Re: Red team attacks vs. cracking
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Red team attacks vs. cracking
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Red team attacks vs. cracking
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: Red team attacks vs. cracking
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Red team attacks vs. cracking
Next by Date: Re: Red team attacks vs. cracking
Previous by thread: Re: Red team attacks vs. cracking
Next by thread: Re: Red team attacks vs. cracking
Index(es):
- Date
- Thread