Penetration Testing mailing list archives
RE: The legal / illegal line?
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 6 Mar 2007 10:44:10 +1100
So in your opinion, companies have a legal right to put my credit card
information, social security information, medical information, etc. at risk? No, and this is not what I stated. There are privacy and credit protection laws to cover this. I do agree that the laws are f_cked as you put it, but we live in a democracy (or at least most ppl on this list do) and the tyranny of the majority wins. Most people are afraid of change and thus the changes that occur are those lobbied for by those with a vested interest. However, where do you draw the line? I admit the law is far too sided with stopping others from helping (or taking the law into their own hands), but where do you draw the line. As an example (excluding cases where there is an obligation in this case such as a parent child relationship); A person is (except in a FEW jurisdictions where there are explicit help laws - which would mean making a phone call) drowning in a puddle. You see them and stop. You do nothing to stop others seeing you or the other person and do not interfere. It is clear that the other person is drowning in the puddle. They seem unconscious. To save them all you have to do is roll them over - at no cost to yourself. You decide to wait and watch them die. You have done nothing legally wrong. Case 2. You see a person in trouble. Another person is going to run for help but you state that you can handle it and tell them not to go to the phone. They comply. You fail in your attempt to save the person, but it is likely that a trained person (if they arrived) could have saved them. You are legally responsible for the person's death. "Just seems backasswards to me." Yes, and to many people I would believe. But most people do not take an interest, and thus laws are biased away for societies interests. This is a topic best off this list however. The point is not if the law is right or wrong, but that it is there. Regards, Craig -----Original Message----- From: McCarty, Eric C. [mailto:emccarty () er ucsd edu] Sent: Tuesday, 6 March 2007 9:01 AM To: Craig Wright; Dotzero; pen-test () securityfocus com Subject: RE: The legal / illegal line? I agreed up until... "People and firms have a legal right to ignorance. As much as we may want to change this, they have the right to live in their own stupidity and bare their own risk. You do not have the right to make them agree with you - even if you are right." ORLY? So in your opinion, companies have a legal right to put my credit card information, social security information, medical information, etc. at risk? You may perhaps be very right, but I'm certain we can now see very clearly how f__cked the laws we live under regarding Information technology are. I think laws should be amended to protect the do-gooders who find and report vulnerabilities, since as you mentioned, many companies live in ignorance and care less, why should the consumer be left at the mercy of the "bad people" (black hats if you will) instead of protected by the "good people" (white hats if you will) ? Just seems backasswards to me. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Monday, March 05, 2007 1:24 PM To: Dotzero; pen-test () securityfocus com Subject: RE: The legal / illegal line? Dotzero is correct, you can point out concerns to the party you have contracted to and have them ask the third party to do something, or stay away. Worse still, in many common law juristictions (inc the US, UK, Au etc) you may be breaking the law further by not freely giving any information on the scan to the third party (tp). First there is no contract with the TP to cover you for any damages (and scans can cause hosts to crash = damage). Next, you have no implied or explict license to engage in the action, thus a breach of the TP's rights. Thus if you call them after the even stating something along the lines of "I have scanned your system and discovered vulnerability X, I will send you the report for $1,000" for instance, you could be held to have committed extortion. Where the TP exchanges money for the report, not only have you handed them proof of the action, but this is now blackmail. Next, consideration can not pass after the event in a contract. Thus if the party pays you, even where there is no criminal liability, they can bring suit to regain the payment from you in that there was no valid contract and the payment may be revoked. People and firms have a legal right to ignorance. As much as we may want to change this, they have the right to live in their own stupidity and bare their own risk. You do not have the right to make them agree with you - even if you are right. Regards, Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dotzero Sent: Tuesday, 6 March 2007 6:52 AM To: pen-test () securityfocus com Subject: Re: The legal / illegal line? The original question from Barry was about legal vs illegal. There is only one (IMHO) answer to that question. It depends on jurisdiction. The laws that apply in one jurisdiction may not apply in another. I'm also concerned about Barry asking about when others "approach a client" to tell them about their insecurities following a "simple pen-test".. They are NOT your client unless they have engaged you. They are a potential client. They have no relationship with you and you have not been authorized by them to do anything on their behalf. Even if you haven't done anything illegal, most companies I'm familiar with would be unlikely to hire you or your company under such circumstances. The actions you describe are indicative of a failure to recognize appropriate boundaries. A more reasonable approach (and one more likely to attract business) would be to have your sales people pitch a free security assessment. Have a standard agreement authorizing a standard but limited set of activities that you can then use to show a potential client how they might benefit from your services. As usual, just my 2 cents. dotzero ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Higinio Orsini (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 06)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available