Desmond, > I think the reason for the original post is because > the customer is a > fortune 500 company they may choose to keep > knowledge of the intrusion in > house to avoid embarrassment. I don't see how that matters. If that is the case...then why did the OP post at all? If the client wanted to keep it in house, the OP could have simply gone to the client and said something. Informing the client doesn't mean that the OP had to inform LEOs, as well. Yet, instead of informing the client, the OP posted to a public list for advice. How difficult would it be to perhaps track down where the post originated from, and make assumptions as to who the OP works for, and then guess who the client might be? > What should the pen-testers do in this > case? One would think that the answer is pretty obvious. Regardless of what the contract for the pen-test states, one would think that the only *right* thing to do is to inform the customer. Remember the problem Microsoft had w/ emails a couple of years ago, w/ regards to the suit brought against them? Well, now, we have a post to a public list. What happens if someone familiar w/ the incident, maybe even the client themselves, see the post? > Due to what has been seen it sounds like a > fairly sophisticated > intrusion that needs to be analyzed and reported so > that the security > community will know about it. Reviewing the original post, there's nothing in it that really speaks to the sophistication of the intrusion. Saying that the intrusion is "sophisticated" is assuming facts that are not in evidence. The public list has no idea of the infrastructure or security posture of the client. Regarding analyzing the intrusion and reporting it to the security community...well, if you know of a site or sites that list such things, please send me the link. > Most certainly the companies whose software > is involved should know about it. However, the > pen-tester is under > contract with the customer and most likely there are > clauses on > confidentiality that precludes the tester > independently choosing what > actions should be taken or how far the information > about the breech can be > disseminated. In the end it's the customers > decision isn't it? Sure. But don't you think that the customer should have the opportunity to make the decision? The OP basically said that this intrusion was discovered...what do we do now? The OP specifically stated that the client hadn't been informed. It should be incumbent upon the OP to inform the client, and let them make the decision. If the client is worried about embarrassment due to public disclosure of the intrusion...oh, well, kind of late for that, isn't it? __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 09:00:51 PST