Firewall Wizards mailing list archives
Re: Legal Release for Security Work
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 26 Oct 2005 16:35:20 -0400
In message <001801c5d372$27a11dd0$0212aa80 () csw l3com com>, "Jay Archibald" writ es:
Here is a sample PENETRATION TESTING CONTRACT. This same contract is found in EC-Council's Ethical Hacker Course resource kit. http://www.pwcrack.com/penetration_contract.shtml
One problem with this contract: it does not state clearly the sorts of
actions the provider is allowed to perform, including what machines can
be attacked. This is not a trivial point. For example, suppose that
Department A within a company hires a penetration tester; the attack
goal is to obtain access to a login account within that department.
One very plausible way to do that is to hack a machine in Department B
that is used by someone in Department A, and get in from there. Is
that permissible or not? Before you answer, remember the Randal
Schwartz case.
More generically -- the laws against hacking bar *unauthorized* access
to computer systems. What is authorized in this case? Is breaking and
entering permitted? Do you have suitable evidence to show the local
prosecutor in case you're caught?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Legal Release for Security Work Christopher Hicks (Oct 13)
- Re: Legal Release for Security Work Jay Archibald (Oct 26)
- Re: Legal Release for Security Work Steven M. Bellovin (Oct 31)
- PIX Dual line Internet HDSL and ADSL Felice Gaiba (Oct 31)
- Re: Legal Release for Security Work Jay Archibald (Oct 26)