Comment by incrudible
4 years ago
You don't know that, but that's also irrelevant. There's always plausible deniability with such bugs. The point is that you need to catch the errors no matter where they come from, because you can't trust anyone.
4 years ago
You don't know that, but that's also irrelevant. There's always plausible deniability with such bugs. The point is that you need to catch the errors no matter where they come from, because you can't trust anyone.
Carrying out an attack for personal gain is malicious. It doesn't matter if the payload is for crypto mining, creating a backdoor for the NSA, or a vulnerability you can cite in a paper.
Pentesting unwitting participants is malicious, and in many cases illegal.
But that's the point, you're a security researcher wanting to get the honors of getting a PhD, not a petty criminal, so you're supposed to have a strong ethical background.
A security researcher doesn't just delete a whole hard drive's worth of data to prove they have the rights to delete things, they are trusted for this reason.
It is ironic that you introduce plausible deniability here. No one as concerned about security as you profess to be should consider the presence of plausible deniability as being grounds for terminating a threat analysis. In the real world, where we cannot be sure of catching every error, identifying actual threats, and their capabilities and methods, is a security-enhancing analysis.