[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Red team attacks vs. cracking




"Javier Fernández-Sanguino Peña" <jfs@computer.org> wrote in message 20060530172008.GA8099@javifsp.no-ip.org">news:20060530172008.GA8099@javifsp.no-ip.org...

Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a "red team attack". Nobody
used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]

Had Martin never mentioned this, it would have been a non-issue.
There is no real damage. While signatures may have been based on
a non-offical ID, Martin did indeed own the key in question, so
the end harm is zero. But Martin decided to publish this experiment.
Is this really a bad thing? He proved that KSP are bad for the web of trust.
A legitimate attacker could abuse the KSP just as easilly as Martin, but
would result in actual damage, and would most likely not have been caught.

So, if KSPs are not changed, then the Web of trust becomes effectively worthless. Manoj should be far more concerned about that, then about Martin's demonstration of this.



Reply to: