On Wed, Nov 25, 2009 at 02:00:41AM -0800, Garrett D'Amore wrote: > I'm actually of the opinion that this is not something we ought to be > bundling with our systems. I understand there might be some intent to > allow administrators to do penetration testing, but I really believe we > shouldn't be encouraging end-users to do this. Basically, tools like > this just facilitate life for the "script kiddies". From an > architectural point of view, does it make sense that we include tools > that have the primary purpose of being used to identify and exploit > weaknesses in the network infrastructure? I really don't think so.
If it can be downloaded, built and run, it should be something that can live in some OpenSolaris pkg repository. That the software in question could be used maliciously is not enough to keep it out, IMO: it has non-malicious uses too. I would certainly agree on excluding zero-day exploits, of course. But for anything else, having a way to determine if you're patched up is incredibly useful. > If just one corporate catastrophe is avoided by not having this kind of > software "too readily available", then I'll be glad we haven't shipped it. Can you bring down an entire network? Or is this just penetration testing? If the former, I might agree, if the latter I would not. Nico --
