RE: ethics of approaching vulnerable prospective clients

[giraffe9 () optusnet com au]

Example 2 is clearly not acceptable.  It amounts to an intrusion and would be a 
criminal offence in many countries.

Example 1 is acceptable.  It is a passive vulnerability scan.  It's like looking for 
web servers that do not use ssl when they ought to be and then you figure those 
organisations need help.  An active vulnerability scan (you send traffic to the 
target specifically to find vulnerabilities, traffic that would not be sent in the normal 
course of business) is not, in my opinion, acceptable.

9iraffe


-----Original Message-----
From: Zach Forsyth [mailto:zach.forsyth () kiandra com]
Sent: 12 November 2002 14:38
To: pen-test () securityfocus com
Subject: ethics of approaching vulnerable prospective clients


Been lurking for quite some time now but thought I might pose a question
to everyone on the list.

I just wanted to see what everyone's opinions were on means of
approaching vulnerable prospective clients. 

Of interest especially are clients with wireless networks.

.... etc

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/