J.A. Terranson wrote: > > What you did was illegal, unethical, and *way* beyond > acceptable practice. You're lucky he doesn't throw your a$$ in jail. > Another misunderstanding. I tried to explain the circumstances and most replies seem to reflect an understanding. The flames I've had stem from insecurity of a different sort, I fear. Firstly, Fred's initial look was merely a port scan. In this country my understanding is that a port scan is not considered an intrusion and is therefore legal. Secondly, we discussed a pen-test with Mr Director on the understanding that our interest was a sales meeting (to discuss a full report and/or purchase of solutions) if he had concerns. As for mixing business interests, are you really saying that security testers should not sell security? I see your point, but in the small business community we have to be practical. How do you find your clients? Pete > -----Original Message----- > From: [mailto:measlat_private] > Sent: 20 June 2003 12:35 > To: pen_test_listat_private > Cc: pen-testat_private > Subject: RE: "Free" pen-test > > <snip> > Your preliminary "look" was done without any type of consent, > and that makes it an intrusion under the laws of most > countries and states. You then went to try and sell > "services" bafter you had "scared him" with your > results: this is extortion in most countries and states. > > In short: you are *exactly* the kind of sleazy half-baked and > fully dishonest operations that has put the security industry > in the position it is in now - having to try and explain to a > [rightfully] wary public why we are not a problem of the same > magnitude as the "hacker" we claim to want to protect against. > > Further, there is an inherent conflict of interest between > the pen-tester and the provider of services which are > suggested by the testing: to truly stay on the moral high > ground you should never try to mix the two (asbestos > underwear in place for all you "ethical" testers who then > sell the repair "services"). > > Call us back when you find a clue. Even a *small* clue. > > -- > J.A. Terranson > sysadminat_private > > > > -----Original Message----- > > From: Pete [mailto:pen_test_listat_private] > > Sent: Thursday, 19 June 2003 19:54 PM > > To: pen-testat_private > > Subject: "Free" pen-test > > > > > > I'm looking for a bit of advice. I was tipped off that > company X had > > minimal security for their large bundle of IP addresses running on > > Micro$oft servers. I got my mate Fred (!) to have a look and he > > reckoned they were _very_ vulnerable. So, we went to the security > > director and "sold" him a free penetration test. Fred then > got admin > > access to their web server plus bucketloads of info about their DMZ > > and even their 192.168.0.x network. I went back to Mr Director > > thinking he'd wet himself and he said "I'm not too worried about > > that....just carry on if you can". > > > > Well. Fred is keen to keep going. But I reckon that someone who is > > "not worried" that his web server could have been taken > down in about > > 4 hours is not worth wasting time on. Needless to say, the cunning > > plan was to sell him a pile of stuff once he was scared enough. > > > > My question is this: how do white-hatters usually approach these > > things? > > > > Grateful for any tips (and thanks for reading if you got to here) > > > > Pete > > > > Pete Smith > > www.petesmithcomputers.com > > > > > > > > > ---------------------------------------------------------------------- > > ----- > > Latest attack techniques. > > > > You're a pen tester, but is google.com still your R&D team? Now you > > can get > > trustworthy commercial-grade exploits and the latest > techniques from a > > world-class research group. > > > > Visit us at: www.coresecurity.com/promos/sf_ept1 > > or call 617-399-6980 > > > -------------------------------------------------------------- > -------------- > > > > > > > > > > --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 20 2003 - 08:18:30 PDT