[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Feb 2006 10:16:15 +0100
From: Casper.Dik@....COM
To: Crispin Cowan <crispin@...ell.com>
Cc: Ansgar -59cobalt- Wiechers <bugtraq@...netcobalt.net>,
bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking
>However, there is one hole here. Under the "hack your own machines"
>policy, certain large/expensive systems (mainframes) are too expensive
>for basement hackers to acquire. Thus they go largely unexamined. This
>is a 2-edged sword:
>
> * reduced expense for the vendor because of a lot less "bug of the
> week" patching
> * increased risk for system owners vs. *professional* intruders;
> because the script kiddies are not attacking these platforms, it
> is a "target rich environment" for professional,
> financially-motivated attackers
Unless, of course, these large systems run a standard operating
system and not some Dinosaur holdout OS.
>This is an example of the hole. The proper thing for the defender to do
>would be to put up a test system with fake accounts and invite attack
>against the test system. If the site operator chooses not to do so, then
>it is at the expense of their customer's risk. But under no
>circumstances is it proper for researchers to deliberately hack
>production servers that they do not own.
With production servers I take it you mean "any system" as figuring
out what a system does is rather difficult.
Casper
Powered by blists - more mailing lists