To what extent and to whom will you authorize to do that? 100 random college students? X number of new security firms? At some point it will break. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 20, 2022, at 17:04, bzs@theworld.com wrote:
It seems to me there's vulnerability testing and there's vulnerability testing and just lumping them all together motivates disparate opinions.
For example it's one thing to perhaps see if home routers login/passwords are admin/admin or similar, or if systems seem to be vuln to easily exploitable bugs and reporting such problems to someone in charge versus, say, hammering at some network to see when/if DDoS mitigation kicks in.
For example I've gotten email in the past that some of my servers were running ntp in a way which makes them vuln to being used for DDoS amplification and, I believe, fixed that. I didn't mind.
Anyhow, you all probably get my point without further hypotheticals or examples.
Scanning for known vulns and reporting can be ok, testing to destruction? Not so much.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On June 20, 2022 at 18:01 jhellenthal@dataix.net (J. Hellenthal) wrote:
To what extent and to whom will you authorize to do that? 100 random college students? X number of new security firms? At some point it will break.
Define "authorize".
-- J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 20, 2022, at 17:04, bzs@theworld.com wrote:
It seems to me there's vulnerability testing and there's vulnerability testing and just lumping them all together motivates disparate opinions.
For example it's one thing to perhaps see if home routers login/passwords are admin/admin or similar, or if systems seem to be vuln to easily exploitable bugs and reporting such problems to someone in charge versus, say, hammering at some network to see when/if DDoS mitigation kicks in.
For example I've gotten email in the past that some of my servers were running ntp in a way which makes them vuln to being used for DDoS amplification and, I believe, fixed that. I didn't mind.
Anyhow, you all probably get my point without further hypotheticals or examples.
Scanning for known vulns and reporting can be ok, testing to destruction? Not so much.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (3)
-
bzs@theworld.com
-
J. Hellenthal
-
Randy Bush