In some mail from rob .
uk, sie said:
> Some mail from Darren Reed said:
> >You never can be certain. You can only ever be certain that your
> >systems pass or fail whatever tests they are knowingly subjected to
> >(this is one of the issues with Tiger Teams and what they can do for
> You still appear to be missing the point; There are only so many tests
> that "authorised" specialists can run, be they tried & trusted or
> otherwise. The point I'm making, is that the only way a system's
> security can truly be asessed, is by letting it loose on the internet,
> where there are an infinite number of "tests" available!
This point has been discussed many times in reference to "break in"
competitions. It has generally been agreed upon that all you ever prove is
that you can keep out those who attempt to break in, not that you can keep
everyone out or that you're immune to every attack.
Whilst an infinite number of tests _might_ be available, only a finite
number can be carried out and if you're knowledgable enough about what
it is that is being "tested", you should be able to replicate or deal
with a good % of those tests.
> I agree that it's unfortunate that the crackers have to be "unauthorised".
The only other option is to decriminalise what they do. Back in the
early days of the Internet, they weren't doing anything illegal when they
played their games from the Netherlands (I'm sure you've read the Berferd
story, and others).
I think it is quite fortunate for us that (using this example) the
government in the Netherlands eventually moved to put in place laws which
allowed those pranksters to be arrested.
> I'm not condoning hacking in any way - I'm merely suggesting that in their
> way, they are providing a service to US, by exposing the weaknesses in our
> security systems. I never suggested that crackers were scrupulous.....
Well, I prefer the "information" only service, without the breakins or
attempted breakins, wouldn't you ?