From: mystic33 (mystic33@comcast.net)
Date: Thu May 17 2007 - 20:55:09 EDT
That is one of the more straightforward comments I have heard in a while. It
is my opinion that all points made by ebk are on the money. It cuts through
the BS of this thread and should end this discussion.
Thanks
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of ebk_lists@hotmail.com
Sent: Thursday, May 17, 2007 6:34 PM
To: pen-test@securityfocus.com
Subject: Re: RE: Sneaking a peek on Wlan in airports
I feel that I must interject here. Even at the risk of having my email
killed by the moderator.
Here goes:Jasper,For the sake of argument (or non-argument) I'll just assume
your actions were an accident. Things do happen and we do get busy from time
to time. It may be possible for the scenario you have outlined to have
happened. Ok.
So, for one thing, were your results being saved to the same file
constantly? Was this the only additional password you picked up aside from
the ones from the client's network? How are you to know? This may skew your
results, no? What of any audit trails you may have? What if your client
requests them? At the very least, you have created additional work for
yourself. Secondly, why did you feel the need to post this to this mailing
list from your work email? I think most people, even the most ethical and
honest of us included, would have deleted the password and pretended it
didn't happen (because honestly, in this day and age people would rather
shoot the messenger than hear the message). But you asked the world what you
should do, and in so doing, described a admittedly questionable scenario. I
guess the main problem I have with your post is that you sent it from your
work email, and I am quite surprised no one else has called you out on it,
yet. PWC (price waterhouse cooper
s) has worked really hard to establish itself as one of
the premier pen testing and computer auditing firms in the country,
even the world. Alot of us on this list work for companies that have
paid or will pay your company a tremendous amount of money to come and
conduct either a pen test or an audit (or both) on our networks. Seeing
things like this creates questions on what we are paying for and who we are
allowing into our networks.I guess I can just sum it up by strongly
recommending that you get a hotmail account to post to this list. I admit
that I am far from perfect, but I wouldn't want to embarrass my employer,
either.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:48 EDT