Re: BGP Experiment

[Eric Kuhnke <eric.kuhnke () gmail com>]

I think a better question is, once a vulnerability has become widespread
public knowledge, do you expect malicious actors, malware authors and
intelligence agencies of autocratic nation-states to obey a gentlemens'
agreement not to exploit something?

There is not a great deal of venn diagram overlap between "organizations
that will pay $2 million for a zero day remote exploit on the latest
version of iOS" and "people who care about whether Randy Bush recommends
them for a job".


On Sat, Jan 26, 2019 at 8:16 AM Randy Bush <randy () psg com> wrote:

> i just want to make sure that folk are really in agreement with what i
> think i have been hearing from a lot of strident voices here.
>
> if you know of an out-of-spec vulnerability or bug in deployed router,
> switch, server, ... ops and researchers should exploit it as much as
> possible in order to encourage fixing of the hole.
>
> given the number of bugs/vulns, are you comfortable that this is going
> to scale well?  and this is prudent when our primary responsibility is a
> running internet?
>
> just checkin'
>
> randy
>
>
> PS: if you think this, speak up so i can note to never hire or recommend
>     you.
>
> PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy
>      Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017
>             ^^^^^ :)