Forwarded from: Russell Coker <russellat_private> On Tue, 17 Jun 2003 17:14, InfoSec News wrote: > By Mark Rasch > June 16, 2003 [...] > Professional penetration testers already know to get explicit > authorization in writing before beginning work. But given the > dramatic sweep of some of these laws, and the growing history of > their abuse, simple authorization may not be enough. Pen testers > should have the client detail exactly the scope and extent of the > network to be tested -- a range of IP addresses, domains, or > physical locations. Straying beyond these ranges may land the tester > in legal hot water. While this seems like reasonable advice for staying out of jail, it raises the question of what you should do when you suspect that a network is insecure. There have been many occasions when I have had good cause to believe that a client's network was insecure. In the past before this foolishness started occurring I would just do a quick port-scan and then advise them of the need to fix their problems. Now it seems that you can't win. If you do the port scan you can be arrested, if you ask if you can do the port-scan then they probably won't be interested (no-one will say "no", they will just fail to say "yes"), and if you do nothing then you'll get blamed if they get hacked! -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 04:11:08 PDT