Well, I haven't done pen testing in about 6 years or so, but I started doing them in 1994 as a firewall admin in college. Later did security research/testing at Bell Labs until 2002.

So I kind of understand the concept of running a pen test. One of the things that was crucial with doing pen testing on someone's network was _getting_permission_. You just can't compromise a network and then say "I was trying to help you fix your issues!" when caught.

>>>>>
This student was clearly not as stupid as you seem to think he was. I'd like to see you try and fix the security holes he found, without referencing his report.
>>>>>

I think you're mistaking outcome vs. intent. I'd expect better reading comprehension skills from someone who suggested I brush up on _my_ reading to understand security.

>>>>>
Did you read the article? How likely do you think this university would be to give someone like him, permission to "test" their security? Why don't you try asking at *your* local university, and see what they say? I'll be happy to visit you in jail.
>>>>>

I'm missing your logic here - I'd go to jail for asking my university to all me to run a test? Well, I graduated years ago, but they'd probably say no and no crime is committed.

But you're suggesting it's okay to run the test without their knowledge?

Do me a favor, save your note, and read it again long after you graduated and been working in the industry, provided you have the analytical skills to be employable. You'll see the foolishness of your ways.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/481/35182#35182