| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Feb 2006 10:16:15 +0100 From: Casper.Dik@....COM To: Crispin Cowan <crispin@...ell.com> Cc: Ansgar -59cobalt- Wiechers <bugtraq@...netcobalt.net>, bugtraq@...urityfocus.com Subject: Re: Vulnerabilites in new laws on computer hacking >However, there is one hole here. Under the "hack your own machines" >policy, certain large/expensive systems (mainframes) are too expensive >for basement hackers to acquire. Thus they go largely unexamined. This >is a 2-edged sword: > > * reduced expense for the vendor because of a lot less "bug of the > week" patching > * increased risk for system owners vs. *professional* intruders; > because the script kiddies are not attacking these platforms, it > is a "target rich environment" for professional, > financially-motivated attackers Unless, of course, these large systems run a standard operating system and not some Dinosaur holdout OS. >This is an example of the hole. The proper thing for the defender to do >would be to put up a test system with fake accounts and invite attack >against the test system. If the site operator chooses not to do so, then >it is at the expense of their customer's risk. But under no >circumstances is it proper for researchers to deliberately hack >production servers that they do not own. With production servers I take it you mean "any system" as figuring out what a system does is rather difficult. Casper
Powered by blists - more mailing lists