Re: Bad Raps for Non-Hacks

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>

On Tue, 17 Jun 2003 17:14, InfoSec News wrote:
> By Mark Rasch
> June 16, 2003 
[...]
> Professional penetration testers already know to get explicit
> authorization in writing before beginning work. But given the
> dramatic sweep of some of these laws, and the growing history of
> their abuse, simple authorization may not be enough. Pen testers
> should have the client detail exactly the scope and extent of the
> network to be tested -- a range of IP addresses, domains, or
> physical locations. Straying beyond these ranges may land the tester
> in legal hot water.

While this seems like reasonable advice for staying out of jail, it
raises the question of what you should do when you suspect that a
network is insecure.

There have been many occasions when I have had good cause to believe
that a client's network was insecure.  In the past before this
foolishness started occurring I would just do a quick port-scan and
then advise them of the need to fix their problems.

Now it seems that you can't win.  If you do the port scan you can be
arrested, if you ask if you can do the port-scan then they probably
won't be interested (no-one will say "no", they will just fail to say
"yes"), and if you do nothing then you'll get blamed if they get
hacked!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.