Re: Red team attacks vs. cracking
Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org> wrote:
> > Is this really a bad thing? He proved that KSP are bad for the web of trust.
> > A legitimate attacker could abuse the KSP just as easilly as Martin, but
> > would result in actual damage, and would most likely not have been caught.
>
> Ask yourself: is it a good thing to covertly attack X? Is it good to then
> publish of the results [1] claiming^Wboasting that you have broken X? Do you
> really need to be proven that X can be broken?
>
> Now change X to "KSP" or "Web server of company Y" or "(your country's)
> national security servers". What are your answers?
I have no opinion that I wish to state in this *particular* case,
but in general, I support it.
I like this page:
http://www.dataloss.net/papers/how.defaced.apache.org.txt
From the bottom of the page:
"We would like to compliment the Apache admin team on their swift response
when they found out about the deface, and also on their approach, even
calling us 'white hats' (we were at the most 'grey hats' here, if you ask
us)."
I'm not saying everybody should be as accommodating as the ASF when
their security gets compromised, but if somebody *does* hack you, then tells
you how they did it, and they doesn't invade your privacy or do any harm to
your stuff, then they have done you a service.
> [1] I will call it "publish" even if it was done in a rather obscure way.
> Not all developers are required to read Martin's blog, they are only
> required to read d-devel-announce
If Martin didn't tell the debian team right away after he illegally
crossed the fence, then that was irresponsible, but I still have no opinion
as to what should be done with him.
- Tyler
Reply to: