Javier Fern?ndez-Sanguino Pe?a <[EMAIL PROTECTED]> wrote: > > Is this really a bad thing? He proved that KSP are bad for the web of trust. > > A legitimate attacker could abuse the KSP just as easilly as Martin, but > > would result in actual damage, and would most likely not have been caught. > > Ask yourself: is it a good thing to covertly attack X? Is it good to then > publish of the results [1] claiming^Wboasting that you have broken X? Do you > really need to be proven that X can be broken? > > Now change X to "KSP" or "Web server of company Y" or "(your country's) > national security servers". What are your answers?
I have no opinion that I wish to state in this *particular* case, but in general, I support it. I like this page: http://www.dataloss.net/papers/how.defaced.apache.org.txt From the bottom of the page: "We would like to compliment the Apache admin team on their swift response when they found out about the deface, and also on their approach, even calling us 'white hats' (we were at the most 'grey hats' here, if you ask us)." I'm not saying everybody should be as accommodating as the ASF when their security gets compromised, but if somebody *does* hack you, then tells you how they did it, and they doesn't invade your privacy or do any harm to your stuff, then they have done you a service. > [1] I will call it "publish" even if it was done in a rather obscure way. > Not all developers are required to read Martin's blog, they are only > required to read d-devel-announce If Martin didn't tell the debian team right away after he illegally crossed the fence, then that was irresponsible, but I still have no opinion as to what should be done with him. - Tyler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]