Re: stick with "anonymous" or "authenticated" when describing

["Steven M. Christey" <coley () mitre org>]

"Jonathan G. Lampe" <jonathan.lampe () standardnetworks ! com> said:

> So...I'd stick with "anonymous" or "authenticated" [instead of
> "credentialed"] when describing attacks on servers.

Based on what I've seen emerging in researcher reports and
vulnerability databases/notification services, the terms
"authenticated user" and "unauthenticated attacker" are emerging with
increasing regularity, especially in "remote" cases (i.e. "remote
authenticated user" and "remote unauthenticated attacker.")  CVE
descriptions are moving in this direction.

The "pre-authentication" term is also emerging for cases in which the
software requires authentication, but the vulnerability appears before
that authentication has taken place.  Obviously not all software uses
authentication, so this isn't exactly the same thing as
"unauthenticated" attacks.

- Steve