From: McCarty, Eric C. (emccarty@er.ucsd.edu)
Date: Mon Mar 05 2007 - 13:44:36 EST
Honestly the problem is two-fold
1). The laws today (in the US) no longer require malicious intent to be
shown in an unauthorized access, so imagine you find and report a
vulnerability (with no intent to exploit it for personal gain), you can
still be charged with felony unauthorized access and chances are you
will be convicted.
This means a XSS vulnerability you find in a website hosted in the US by
2). The general posture of security/network administrators has changed,
Nowadays Admin's call the FBI.
This really isn't isolated to network security though, the posture of
Eric
-----Original Message-----
Thanks All
I agree totally, that it is a line that should be kept away from
How do you convince them, when they won't give permission because isn't
Thanks again
Barry Fawthrop wrote:
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:57:38 EDT
typing in http://site.com/script.php?
book a felonious offense.
5, maybe 10 years ago, if someone found/reported a vulnerability in your
network you would buy them lunch or thank them.
the entire nation has changed, not to be to off topic but in my fathers
time, bringing a gun rack to school in your pickup was show and tell,
try doing that today.
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Barry Fawthrop
Sent: Monday, March 05, 2007 5:29 AM
To: Barry Fawthrop
Cc: pen-test@securityfocus.com
Subject: Re: The legal / illegal line?
But then how do you "prove" to someone that their system isn't as secure
as they "feel"/assume it is?
I have run into many companies where you can see the security is not
what it should be.
Yet you ask the IT director and they are so convinced they have perfect
security and even report that to their
bosses. Yet the signs are clear they don't?
warning them removing them from
Due Diligence to Due Negligence?
Barry
> Hi All
>
> Curious to hear other views, where does the legal and illegal line
stand
> in doing a pen test on a third party company?
> Does it start at the IP Address/Port Scanning Stage or after say once
> access is gained?? very vague I know
>
>
> I'm also curious to hear from other external/3rd party pen-test
> consultants, how they have managed to solve the problem
> Where they approach a client who is convinced they have security, and
> yet there is classic signs that they don't?
> You know that if you did a simple pen-test you would have the evidence
> to prove your point all would be mute
>
> But from my current point that would be illegal, even if no access was
> gained. (maybe I'm wrong) ??
>
> Perhaps this is just a problem here where I am or perhaps it exists
> elsewhere also?
>
> I look forward to your input
>
> Barry
>
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
>
------------------------------------------------------------------------
>
>
>
--
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------