I think that’s a bit of reductio ad absurdum from what has been said. I would prefer that researchers collaborate to: 1. Compile a list of lists that should be notified of such experiments in advance. Try to get the word out to as much of the community as possible through various NOGs and other relevant industry lists. 2. Use said list of lists to provide at least 7 days advance notice of such testing, ideally with links to the details of the vulnerability in question and known vulnerable and known good code bases for as many software/hardware platforms as feasible. (Ideally list unknowns and solicit feedback as well). 3. Provide contact information for reporting test-related problems, issues, affected software versions, etc. Ideally an email address for after-action reports of data and a phone number that will be monitored during active testing for emergent reports of test-related service disruptions. 4. Conduct the test for incrementally longer periods over time. e.g. start with a 15 minute test on the first try and then run 30, 60, and multi-hour tests on later dates after addressing any reported problems during earlier tests. I think such behavior would provide the best intersection of encouraging patching/fixing while also minimizing disruption and harm to innocent third parties. Owen
On Jan 26, 2019, at 8:15 AM, Randy Bush <randy@psg.com> wrote:
i just want to make sure that folk are really in agreement with what i think i have been hearing from a lot of strident voices here.
if you know of an out-of-spec vulnerability or bug in deployed router, switch, server, ... ops and researchers should exploit it as much as possible in order to encourage fixing of the hole.
given the number of bugs/vulns, are you comfortable that this is going to scale well? and this is prudent when our primary responsibility is a running internet?
just checkin'
randy
PS: if you think this, speak up so i can note to never hire or recommend you.
PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017 ^^^^^ :)