From owner-freebsd-questions@FreeBSD.ORG Mon May 15 21:27:24 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25B3416B236 for ; Mon, 15 May 2006 21:27:24 +0000 (UTC) (envelope-from atom.powers@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCF1343D55 for ; Mon, 15 May 2006 21:27:22 +0000 (GMT) (envelope-from atom.powers@gmail.com) Received: by nz-out-0102.google.com with SMTP id z31so42061nzd for ; Mon, 15 May 2006 14:27:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oVazaNmjhBgQ9OKcnNDzioF6HPRvCyaTE+PLa7m4SXFAtsl1V1OReXBdMe8JILn7ZAErtd3dyPNyNvkUlAlaEelraOWXB9oxe2RN5DiY3we3vvjTPc9kzXWnFFroHfHei5BPuw6FC0DLA0+oVWMHHTgdxfhJFXJtp99RyfjcOwc= Received: by 10.65.218.14 with SMTP id v14mr2528492qbq; Mon, 15 May 2006 14:27:17 -0700 (PDT) Received: by 10.65.150.9 with HTTP; Mon, 15 May 2006 14:27:17 -0700 (PDT) Message-ID: Date: Mon, 15 May 2006 14:27:17 -0700 From: "Atom Powers" To: "Charles Swiger" In-Reply-To: <4D0ECFC4-7168-4CB8-A9EB-54C9A51D9EB3@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060515145152.V46728@server1.ultratrends.com> <4D0ECFC4-7168-4CB8-A9EB-54C9A51D9EB3@mac.com> Cc: FreeBSD Mailing List , TRODAT Subject: Re: Security Testing on Production Systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 21:27:31 -0000 On 5/15/06, Charles Swiger wrote: > On May 15, 2006, at 4:54 PM, TRODAT wrote: > > This is a hot topic as of late where I work: > > > > Once a system has gone into 'production' should testing, > > specifically security, be done on it if the system could be broken > > by the test itself? > > > > What is your take on this issue and why? > > Yes, although you should schedule possible intrusive or disruptive > security/pentesting for an appropriate time where you can afford to > recover from any problems which occur. > > Most systems which fail under testing have sufficient issues that > they fail under some naturally-occurring load conditions. And even if you are not running the tests, there is a good chance somebody out there is. I'm sure you would much rather crash your system under controlled conditions than wait for some kiddie to do it for you. > Backups > are your friends. Your best friends. (but that @#$% mechanical arm on the tape library...) --=20 -- Perfection is just a word I use occasionally with mustard. --Atom Powers--