RE: Volunteer pen testing

From: Lachniet, Mark (mlachniet@sequoianet.com)
Date: Wed Dec 15 2004 - 16:13:20 EST

• Next message: leonardo: "Re: Research on penetration testing?"
• Previous message: Maarten Hartsuijker: "edirectory pasword hashes"
• Maybe in reply to: Matt Bellizzi: "Volunteer pen testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Another good idea is to REALLY verify that you are hitting the right IP
owned by the organization. Small shops sometimes don't know their own
subnet or IP addresses, so try to verify by looking at a router config
or whois lookup. That way you don't whack the wrong victim and get
liability from someone you *didn't* get a CYA letter from. Could really
put a damper on all that altruism :)

P.S. For Pete's sakes, people, don't send out of office replies to a
listserve. Every time I send an email to this list I get about 30 of
those suckers. Geesh

Mark Lachniet

> -----Original Message-----
> From: Matt Bellizzi [mailto:matt.bellizzi@nokia.com]
> Sent: Wednesday, December 15, 2004 2:21 PM
> Cc: pen-test@securityfocus.com
> Subject: Re: Volunteer pen testing
>
> Thanks for responding everyone. Well it looks like there
> are two camps
> here. The first group mostly objects to the liability to me. The
> second thinks it's a good idea. It looks like I should seek
> some legal
> advice. Luckily my company offers that as a benefit. Or
> I'm sure I
> could probably find a lawyer to do it pro-bono. Looks like
> I'll need
> a NDA for me, a letter of intent and a agree to hold harmless for my
> client. If someone out there has some boiler plate examples
> of these I
> would love to see em. A couple of other issues were also
> brought to my
> attention. Like What is the scope of the pen test? Also
> what happens after the pen-test? And finally who to call if
> I DOS something. Off the top of my head. The scope of the
> pen-test is Dependant on the client's network. The actions
> after the pentest depends on if they staff or not. As for
> crashing machines....I'm thinking that before even attempting
> to test I would have to meet with the whomever they have on
> staff and co-ordinate off times for testing and contact numbers. I
> would also not run actually dos exploits. This might not be
> considered a pen-test but, I still think it might be useful
> and/or fun.
>

• Next message: leonardo: "Re: Research on penetration testing?"
• Previous message: Maarten Hartsuijker: "edirectory pasword hashes"
• Maybe in reply to: Matt Bellizzi: "Volunteer pen testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT