Re: The legal / illegal line?

[Martin Zimmermann <Prohest () gmail com>]

Never _ever_ engage in anything without a signed "get of of jail letter" 
+ an quite specific agreement stating what you are authorized to do and 
what the potentiel riscs are. Dotzero is very right in concluding that 
they are _not_ in any way a client until a signed agreement exsists. I 
can only imagine very few (and somewhat far fetched) situations where 
you "discover" a vulnerability without "crossing the line", both in 
relation to the law and morally. Besides no serious client would ever 
hire a pen-test team that "pre-pens" them. It shows a complete lack of  
professionalism and often borders on black-mail in most situations of  
cases I've come across. And it qiute frankly sounds like you crossed the 
line!

Just my 1½ cent

Martin

-

Dotzero skrev:
> The original question from Barry was about legal vs illegal. There is
> only one (IMHO) answer to that question. It depends on jurisdiction.
> The laws that apply in one jurisdiction may not apply in another.
>
> I'm also concerned about Barry asking about when others "approach a
> client" to tell them about their insecurities following a "simple
> pen-test".. They are NOT your client unless they have engaged you.
> They are a potential client. They have no relationship with you and
> you have not been authorized by them to do anything on their behalf.
> Even if you haven't done anything illegal, most companies I'm familiar
> with would be unlikely to hire you or your company under such
> circumstances. The actions you describe are indicative of a failure to
> recognize appropriate boundaries.
>
> A more reasonable approach (and one more likely to attract business)
> would be to have your sales people pitch a free security assessment.
> Have a standard agreement authorizing a standard but limited set of
> activities that you can then use to show a potential client how they
> might benefit from your services.
>
> As usual, just my 2 cents.
>
> dotzero
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
>
> ------------------------------------------------------------------------


---
avast! Antivirus: Udgaende besked er ren.
Virus Database (VPS): 000721-1, 03-03-2007
Testet: 05-03-2007 22:52:58
avast! - copyright (c) 1988-2007 ALWIL Software.
http://www.avast.com/




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------