>However, there is one hole here. Under the "hack your own machines"
>policy, certain large/expensive systems (mainframes) are too expensive
>for basement hackers to acquire. Thus they go largely unexamined. This
>is a 2-edged sword:
>
> * reduced expense for the vendor because of a lot less "bug of the
> week" patching
> * increased risk for system owners vs. *professional* intruders;
> because the script kiddies are not attacking these platforms, it
> is a "target rich environment" for professional,
> financially-motivated attackers

Unless, of course, these large systems run a standard operating
system and not some Dinosaur holdout OS.

>This is an example of the hole. The proper thing for the defender to do
>would be to put up a test system with fake accounts and invite attack
>against the test system. If the site operator chooses not to do so, then
>it is at the expense of their customer's risk. But under no
>circumstances is it proper for researchers to deliberately hack
>production servers that they do not own.

With production servers I take it you mean "any system" as figuring
out what a system does is rather difficult.

Casper

[ reply ]