Nicolas Williams wrote: > On Wed, Nov 25, 2009 at 02:00:41AM -0800, Garrett D'Amore wrote: > >> I'm actually of the opinion that this is not something we ought to be >> bundling with our systems. I understand there might be some intent to >> allow administrators to do penetration testing, but I really believe we >> shouldn't be encouraging end-users to do this. Basically, tools like >> this just facilitate life for the "script kiddies". From an >> architectural point of view, does it make sense that we include tools >> that have the primary purpose of being used to identify and exploit >> weaknesses in the network infrastructure? I really don't think so. >> > > If it can be downloaded, built and run, it should be something that can > live in some OpenSolaris pkg repository. >
/contrib is fine, and doesn't require PSARC review. I'd have no qualms if someone decided to put this in /contrib. At that point it isn't something that Sun or the greater OpenSolaris community can be seen as "sponsoring" or "supporting". > That the software in question could be used maliciously is not enough to > keep it out, IMO: it has non-malicious uses too. I would certainly > agree on excluding zero-day exploits, of course. But for anything else, > having a way to determine if you're patched up is incredibly useful. > > >> If just one corporate catastrophe is avoided by not having this kind of >> software "too readily available", then I'll be glad we haven't shipped it. >> > > Can you bring down an entire network? Or is this just penetration > testing? If the former, I might agree, if the latter I would not. > Its penetration testing, with tests that are designed to attack routers and network infrastructure. I think this can be used malicious from one computer to actively attack a a network and do bad things to it. See: http://www.yersinia.net/attacks.htm While tools like this are useful for folks who audit the infrastructure of the network, I think giving anyone who has root on their system an "easy" way to just install the bits that can be used to bring down an entire network is... questionable. I understand that people are going to want this tool, and that its easy enough to download, compile, and install. *But* (and this is key), if we include it in an official release, then potentially we can be seen as supporting the tool's use. This is totally different from nmap, btw. IIUC, nmap does scans to passively identify potential weaknesses. I don't think it actually has any *exploits* for them. (Put another way, I don't think "nmap" used solely by itself can do serious harm. I think yersinia is quite different. I think their choice of name is suitably apropos -- naming after the black plague.) I feel strongly enough about this that I'm going to derail. I also request that the project team to consult with Sun's legal department. I'm concerned that inclusion of such software might actually be seen to condone its use for nefarious purposes and put us at legal risk in some jurisdictions. -- Garrett
