RE: Follow up on "How much do you disclose to customers?"

[ethanpreston () ziplip com]

> -----Original Message-----
> From: Rob Shein [mailto:shoten () starpower net]
> Sent: Wednesday, January 07, 2004, 3:40 PM
> To: ethanpreston () ziplip com, pen-test () securityfocus com
> Subject: RE: Follow up on "How much do you disclose to customers?"
>
> That slashdot post talks about something entirely different.  The vendor in
> question didn't come up with a list of vulnerabilities that were bad...they
> pointed at the sole security engineer as the vulnerability himself.
> Furthermore, they then moved in to replace him.  This is rather a no-no in
> terms of the OSTMM, for obvious reasons.  It's one thing if a company reacts
> or even overreacts to a report of factual findings (an open port is an open
> port, regardless of office politics or the sales quota of a vendor) and
> fires someone, it's another thing if the company producing the report goes
> so far over the line as to state that an employee of another organization is
> to blame for insecurity.  I don't feel that if this vendor got sued that I'd
> be nervous about legal risk when handing over a report done my way.

If things happened the way the poster said, there's no doubt the vendor was predatory and would probably lose if the 
poster sued. But no one can tell your a totally incompetant network admin on the Internet -- the poster could just as 
easily be an incompetant, and the vendor just outed his total failure to secure the network. At some point, I'd feel 
comfortable telling a client that their personnel wasn't doing their job. Or maybe the client does totally overreact 
and fire somebody... But in either case, how hard would it be for a disgruntled admin to sue your firm? Even if the 
suit's groundles...
 
I guess my point in linking that article is more that even if you do just report the facts, its possible to step in it 
-- what do people do to stay out of trouble? 

> > -----Original Message-----
> > From: ethanpreston () ziplip com [mailto:ethanpreston () ziplip com] 
> > Sent: Tuesday, January 06, 2004 5:21 PM
> > To: pen-test () securityfocus com
> > Subject: Follow up on "How much do you disclose to customers?"
> >
> >
> > The list previously hashed out the pros and cons of informing 
> > the client's entire personnel about the coming pen-test. One 
> > of the issues that came up was the potential for the client's 
> > employed security staff to use the advance notice to game the 
> > results and skew the test results: 
> > http://seclists.org/lists/pen-> test/2003/Dec/0105.html
> >
> > How 
> > does the pen-test community on 
> > this list deal with possibility of legal reprisal from the 
> > client's employees? No matter what contractual liability 
> > limitations you can negotiate with the client, that won't 
> > extend to an employee that gets canned because one's report 
> > paints them in an incompetant light.
> >
> > I think there's a slashdot post on this topic (from the other 
> > side), where at least some of the posters start muttering for 
> > legal action. 
> > http://ask.slashdot.org/article.pl?sid=03/12/19/0456221&mode=t
> hread&tid=126&tid=163
>
> Cheers,
>
> Ethan
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------