>However, there is one hole here. Under the "hack your own machines" >policy, certain large/expensive systems (mainframes) are too expensive >for basement hackers to acquire. Thus they go largely unexamined. This >is a 2-edged sword: > > * reduced expense for the vendor because of a lot less "bug of the > week" patching > * increased risk for system owners vs. *professional* intruders; > because the script kiddies are not attacking these platforms, it > is a "target rich environment" for professional, > financially-motivated attackers Unless, of course, these large systems run a standard operating system and not some Dinosaur holdout OS. >This is an example of the hole. The proper thing for the defender to do >would be to put up a test system with fake accounts and invite attack >against the test system. If the site operator chooses not to do so, then >it is at the expense of their customer's risk. But under no >circumstances is it proper for researchers to deliberately hack >production servers that they do not own. With production servers I take it you mean "any system" as figuring out what a system does is rather difficult. Casper
