[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Red team attacks vs. cracking

On Tue, May 30, 2006 at 01:40:39PM -0400, Joe Smith wrote:
> Is this really a bad thing? He proved that KSP are bad for the web of trust.
> A legitimate attacker could abuse the KSP just as easilly as Martin, but
> would result in actual damage, and would most likely not have been caught.

Ask yourself: is it a good thing to covertly attack X? Is it good to then
publish of the results [1] claiming^Wboasting that you have broken X? Do you
really need to be proven that X can be broken?

Now change X to "KSP" or "Web server of company Y" or "(your country's)
national security servers". What are your answers?

In the place I work at, attacks are only done either on your head (that's
what attack trees [0] and risk analysis are for) or with the keyboard (or
phone) after whomever is in charge of X has asked for, acknowledged and
*approved* the attack. Why?  Because given enough resources (money, time, you
name it) most attacks will succeed against X. So the question is not *if* you
can break X but *when* and *how* can you break it. The attack is introduced
to see if there could be changes implemented to make it more difficult for a
wannabe attacker or to detect an ongoing attack and, consequently, minimise
the risk.

We are not talking about national security or public safety here, if Martin
wanted to prove that attacks against KSPs can happen he could have managed
his attack in an open way (as Manoj said "contact management and get their
approval") and then use that to enlighten us all.

What he did is wrong (and dishonest), even if the end result is "good": these
long threads, knowledgeable people discussing the effectiveness of KSPs and
non-knowledgeable people getting a clue. You might think that "the ends
justify the means" [2], I don't.



[0] http://www.schneier.com/paper-attacktrees-ddj-ft.html

[1] I will call it "publish" even if it was done in a rather obscure way.
Not all developers are required to read Martin's blog, they are only required
to read d-devel-announce

[2] Google found this Wired article for me, which is nice:

Attachment: signature.asc
Description: Digital signature

Reply to: