[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Red team attacks vs. cracking

Javier Fernández-Sanguino Peña <jfs@computer.org> writes:

> Claiming that what Martin did was good since he was showing
> something useful for our community is equivalent to saying it was a
> "red team attack". Nobody used that term explicitly probably because
> they are unfamiliar with it. I know what it means, I've done my
> share of pen-testing to companies.

Perhaps some people have argued that it was good what he did; I have
not.  I have constrained my comments to arguing only that what he did
was not, so far as we know, either fraudulent or forgery.

What he did may have beneficial consequences, if it encourages people
to be more careful in the future, but certainly I would agree that
this does not justify it.

I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said.  Martin certainly should follow the protocols
established, but I would only count "established" as being what is
actually written down by the KSP organizers, and not just some kind of
general unspoken expectation.  (Where can I read about those written
protocols, if there are any?)

> I find this akin to people finding and exploiting web app vulnerabilities
> (without being payed for by the company and without their approval). 
> To "show" that webapps are vulnerable.

Indeed, if he did violate the written rules of the KSP, then it is
much like this.  (That still doesn't make it forgery, fraud, or
dishonesty, however.)

At the same time, we should *also* recognize that anyone who signed on
the basis of the Transnational Republic ID (unless they have more
information about that organization than the rest of us do) has *also*
broken the rules of the KSP.

Moreover, the harm caused by people who did not properly check the ID
is *worse* than the harm caused by not following the written KSP rules
(if indeed he didn't follow them).  So I ask, ONE MORE TIME, HOPING

Manoj, did you sign the key on the basis of the Transnational Republic

Javier, did you?


Reply to: