From: ethanpreston@ziplip.com
Date: Tue Jan 06 2004 - 17:20:35 EST
The list previously hashed out the pros and cons of informing the client's entire personnel about the coming pen-test. One of the issues that came up was the potential for the client's employed security staff to use the advance notice to game the results and skew the test results:
http://seclists.org/lists/pen-test/2003/Dec/0105.html
How does the pen-test community on this list deal with possibility of legal reprisal from the client's employees? No matter what contractual liability limitations you can negotiate with the client, that won't extend to an employee that gets canned because one's report paints them in an incompetant light.
I think there's a slashdot post on this topic (from the other side), where at least some of the posters start muttering for legal action.
http://ask.slashdot.org/article.pl?sid=03/12/19/0456221&mode=thread&tid=126&tid=163
Cheers,
Ethan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT