On 7/28/16 11:56 AM, Niels Bakker wrote:
* mfidel...@meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42
CEST]:
[...]
Now if Cloudflare were to actively suggest that folks use vBooter to
test systems, as a way to boost sales for Cloudflare - that would
certainly be an interesting test case for RICO
CloudFlare is doing nothing of the sort, and it's kind of vile for you
to suggest otherwise, even ostensibly by way of floating it as a
hypothetical.
Well, I don't know - if I were in the business of selling security
services, I'd probably suggest that potential customers do some
penetration and stress testing of their systems. And that seems pretty
legitimate.
For that matter - "here are some tools you can use to test your systems"
also strikes me as pretty legitimate.
On the other hand - one might argue that publishing something like "How
to Launch a 65Gbps DDoS, and How to Stop One"
https://blog.cloudflare.com/65gbps-ddos-no-problem/ - pushes the limits
a bit - depending on how much detailed "how-to" information one
provides, and how much one presents oneself as the solution.
Granted, that there's a lot of value in education - I certainly want to
know the various ways folks might attack our systems, and the various
ways we might defend ourselves. But there are limits - not just legal
ones, but, as others have pointed out, ethical ones and ones of good
taste. The CERT draws its lines one place; on the other hand, Symantec
publishes white papers that give some rather in depth analyses of
specific viruses - there for the googling. Cloudflare certainly comes
closer to one line than the other.
Opinions vary as to the ethics, taste, and legality of publishing
detailed how-to information - there's certainly enough out there from
sources with ill intent (including rather nasty libraries and tools that
require little technical expertise to utilize) - so I tend to favor more
details.
When one directly ties detailed how-to information, with product/service
sales - now that strikes me as begging to be the target of some
interesting test cases. In Cloudflare's case - telling people how to
attack a site, hosting free & openly available tools that can support
such an attack, and selling services to mitigate the attack - now that's
a test case just waiting to happen. "How to Launch a 65Gbps DDoS, and
How to Stop One" seems like an open invitation to ambulance chasers and
aggressive prosecutors.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
