Firewall Wizards mailing list archives
Re: Legal Release for Security Work
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 26 Oct 2005 16:35:20 -0400
In message <001801c5d372$27a11dd0$0212aa80 () csw l3com com>, "Jay Archibald" writ es:
Here is a sample PENETRATION TESTING CONTRACT. This same contract is found in EC-Council's Ethical Hacker Course resource kit. http://www.pwcrack.com/penetration_contract.shtml
One problem with this contract: it does not state clearly the sorts of actions the provider is allowed to perform, including what machines can be attacked. This is not a trivial point. For example, suppose that Department A within a company hires a penetration tester; the attack goal is to obtain access to a login account within that department. One very plausible way to do that is to hack a machine in Department B that is used by someone in Department A, and get in from there. Is that permissible or not? Before you answer, remember the Randal Schwartz case. More generically -- the laws against hacking bar *unauthorized* access to computer systems. What is authorized in this case? Is breaking and entering permitted? Do you have suitable evidence to show the local prosecutor in case you're caught? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Legal Release for Security Work Christopher Hicks (Oct 13)
- Re: Legal Release for Security Work Jay Archibald (Oct 26)
- Re: Legal Release for Security Work Steven M. Bellovin (Oct 31)
- PIX Dual line Internet HDSL and ADSL Felice Gaiba (Oct 31)
- Re: Legal Release for Security Work Jay Archibald (Oct 26)