('binary' encoding is not supported, stored as-is) Example 2 is clearly not acceptable. It amounts to an intrusion and would be a criminal offence in many countries. Example 1 is acceptable. It is a passive vulnerability scan. It's like looking for web servers that do not use ssl when they ought to be and then you figure those organisations need help. An active vulnerability scan (you send traffic to the target specifically to find vulnerabilities, traffic that would not be sent in the normal course of business) is not, in my opinion, acceptable. 9iraffe -----Original Message----- From: Zach Forsyth [mailto:zach.forsythat_private] Sent: 12 November 2002 14:38 To: pen-testat_private Subject: ethics of approaching vulnerable prospective clients Been lurking for quite some time now but thought I might pose a question to everyone on the list. I just wanted to see what everyone's opinions were on means of approaching vulnerable prospective clients. Of interest especially are clients with wireless networks. .... etc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 19:42:00 PST