> I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source. So I'm wondering why we seem comfortable with that, but not this.
Because pentesters get permission up-front. What the hell kind of pentesting operation are you running where trying to penetrate a site that isn't already one of your clients? You'd be in hot water, legally, if you did that--because the sites affected would have every reason to assume that you're malicious.
This is exactly the thing that was gone over last time, in the U of M case where researchers knowingly submitted exploitable code to see how the Linux kernel team would react. They were also compared to pentesters--but pentesters get permission first, and the U of M people didn't, which is why they were treated as malicious by the kernel team.
If you do not have rules of engagement that were agreed upon by the pentesting team and the client, you are not pentesting, you are committing some form of crime. Stop claiming that pentesters are allowed to phish/exploit things without permission, it makes everyone in that community look bad.
Because pentesters get permission up-front. What the hell kind of pentesting operation are you running where trying to penetrate a site that isn't already one of your clients? You'd be in hot water, legally, if you did that--because the sites affected would have every reason to assume that you're malicious.
This is exactly the thing that was gone over last time, in the U of M case where researchers knowingly submitted exploitable code to see how the Linux kernel team would react. They were also compared to pentesters--but pentesters get permission first, and the U of M people didn't, which is why they were treated as malicious by the kernel team.
If you do not have rules of engagement that were agreed upon by the pentesting team and the client, you are not pentesting, you are committing some form of crime. Stop claiming that pentesters are allowed to phish/exploit things without permission, it makes everyone in that community look bad.