Re: Using 0days as part of pen-test?

[Oliver Schad <oliver.schad () oschad de>]

Am Dienstag, 13. Januar 2009 schrieb mir Pete Herzog:
> I think you don't have any problems except if you performed actions
> outside the statement of work, the contract, or the scope or live in
> France.  As I can see it:
>
> 1. By penetrating in you were able to see more of the infrastructure
> and make a better analysis of what is there and what its limitations
> are so you did a good thing. Not to mention by saving time with that
> you had time to be much more thorough, test from various vectors, and
> give a real value for the test.

I don't understand something: Why should you test a blackbox, why 
shouldn't you get all informations except user accounts? You don't know 
the knowledge of all attackers around the world about this specific 
network. You should assume, there is somebody who knows everything, 
should you?

I mean, why should I choose as a tester a role of an attacker who knows 
nothing about the network if there is somebody in this world who could 
attack this network with all knowledge he needs?

Regards
Oli

Attachment: signature.asc
Description: This is a digitally signed message part.