Nicolas Williams wrote: > On Wed, Nov 25, 2009 at 02:00:41AM -0800, Garrett D'Amore wrote: > >> I'm actually of the opinion that this is not something we ought to be >> bundling with our systems. I understand there might be some intent to >> allow administrators to do penetration testing, but I really believe we >> shouldn't be encouraging end-users to do this. Basically, tools like >> this just facilitate life for the "script kiddies". From an >> architectural point of view, does it make sense that we include tools >> that have the primary purpose of being used to identify and exploit >> weaknesses in the network infrastructure? I really don't think so. >> > > If it can be downloaded, built and run, it should be something that can > live in some OpenSolaris pkg repository. > Totally agreed. > That the software in question could be used maliciously is not enough to > keep it out, IMO: it has non-malicious uses too. I would certainly > agree on excluding zero-day exploits, of course. But for anything else, > having a way to determine if you're patched up is incredibly useful. > Totally agreed. :-)
Thanks Siwei > >> If just one corporate catastrophe is avoided by not having this kind of >> software "too readily available", then I'll be glad we haven't shipped it. >> > > Can you bring down an entire network? Or is this just penetration > testing? If the former, I might agree, if the latter I would not. > > Nico >
