Penetration Testing mailing list archives
RE: The legal / illegal line?
From: "McCarty, Eric C." <emccarty () er ucsd edu>
Date: Mon, 5 Mar 2007 10:44:36 -0800
Honestly the problem is two-fold 1). The laws today (in the US) no longer require malicious intent to be shown in an unauthorized access, so imagine you find and report a vulnerability (with no intent to exploit it for personal gain), you can still be charged with felony unauthorized access and chances are you will be convicted. This means a XSS vulnerability you find in a website hosted in the US by typing in http://site.com/script.php?<SCRIPT>alert();</SCRIPT> is by the book a felonious offense. 2). The general posture of security/network administrators has changed, 5, maybe 10 years ago, if someone found/reported a vulnerability in your network you would buy them lunch or thank them. Nowadays Admin's call the FBI. This really isn't isolated to network security though, the posture of the entire nation has changed, not to be to off topic but in my fathers time, bringing a gun rack to school in your pickup was show and tell, try doing that today. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Barry Fawthrop Sent: Monday, March 05, 2007 5:29 AM To: Barry Fawthrop Cc: pen-test () securityfocus com Subject: Re: The legal / illegal line? Thanks All I agree totally, that it is a line that should be kept away from But then how do you "prove" to someone that their system isn't as secure as they "feel"/assume it is? I have run into many companies where you can see the security is not what it should be. Yet you ask the IT director and they are so convinced they have perfect security and even report that to their bosses. Yet the signs are clear they don't? How do you convince them, when they won't give permission because isn't warning them removing them from Due Diligence to Due Negligence? Thanks again Barry Barry Fawthrop wrote:
Hi All Curious to hear other views, where does the legal and illegal line
stand
in doing a pen test on a third party company? Does it start at the IP Address/Port Scanning Stage or after say once access is gained?? very vague I know I'm also curious to hear from other external/3rd party pen-test consultants, how they have managed to solve the problem Where they approach a client who is convinced they have security, and yet there is classic signs that they don't? You know that if you did a simple pen-test you would have the evidence to prove your point all would be mute But from my current point that would be illegal, even if no access was gained. (maybe I'm wrong) ?? Perhaps this is just a problem here where I am or perhaps it exists elsewhere also? I look forward to your input Barry
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW
------------------------------------------------------------------------
-- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- The legal / illegal line? Barry Fawthrop (Mar 04)
- Re: The legal / illegal line? Philosophil (Mar 05)
- Re: The legal / illegal line? Varun Nair (Mar 27)
- Re: The legal / illegal line? admin (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Barry Fawthrop (Mar 05)
- RE: The legal / illegal line? McCarty, Eric C. (Mar 05)
- Re: The legal / illegal line? Tim Shea (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Dotzero (Mar 05)
- Re: The legal / illegal line? Martin Zimmermann (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- Re: The legal / illegal line? Philosophil (Mar 05)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- <Possible follow-ups>
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)