Penetration Testing mailing list archives

Re: [PEN-TEST] finding offensive material

From: Andrew Walls <Andrew.Walls () AU COFLEXIP COM>
Date: Wed, 7 Mar 2001 01:04:20 +0100

My advice is to grab a copy of everything and then burn it onto a CD.  In
your penetration report mention that you encountered potentially offensive
material that may or may not violate the company's policies regarding the
storage/transmittal of files and that you can provide the client with a copy
of these files if they so desire.

The potential policy violation is unrelated to the penetration test, so the
actual materials should not be included in the report.  If the client wants
to deal with it, they can, but they can also choose to ignore the issue.  By
retaining a CD of the material, you are able to provide a frozen record of
the material.  If you have strong feelings about this, you could have an
off-the-record conversation with someone in HR, but this could effect your
relationship with your primary client in the company, so take care.

-----Original Message-----
From: Penetration Testers <PEN-TEST () SECURITYFOCUS COM>  at csoap-internet
Sent: Tuesday, 6 March 2001 12:04
To:   PEN-TEST () SECURITYFOCUS COM at CSOAP-Internet
Subject:      [PEN-TEST] finding offensive material

hello,
If during penetration testing files are found on easily accessible
business
shares that  could be defined as either sexually or racially offensive,
how
should that be  presented in the finding in the final report. I assume
this
could leave a company open to law suite concerning hostile work
environment,
sexual harassment, racial discrimination, etc., so I would feel somewhat
obligated  to include it in the final report.  I was hoping that someone
who's had some experience with this situation could help me tip toe
through
this rather politically charged and potentially embarrassing finding in
the
final report.  I'd like to be  thorough in defining the legal risks of
this
material to management.  Any help with this would  be greatly appreciated.
If there  is  a more appropriate place to post  this question, please let
me
know.

TIA,
Sheila Soulia
 << File: RFC822.TXT >>



This message contains information intended only for the use of the addressee named above. It may also be confidential 
and/or privileged.
If you are not the intended recipient of this message you are herby notified that you must not disseminate, copy or 
take any action in reliance on it.
If you have received this message in error please notify the sender.

Current thread:

[PEN-TEST] finding offensive material Sheila (Mar 06)
- Re: [PEN-TEST] finding offensive material E, M (Mar 07)
- Re: [PEN-TEST] finding offensive material Laudon Williams (Mar 07)
- <Possible follow-ups>
- Re: [PEN-TEST] finding offensive material Andrew Walls (Mar 07)
- Re: [PEN-TEST] finding offensive material Alexander Sarras (SEA) (Mar 07)