Re: [fw-wiz] Legal Release for Security Work
From: Steven M. Bellovin (smb_at_cs.columbia.edu)
Date: 10/26/05
- Previous message: Julian M D: "Re: [fw-wiz] The Death Of A Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Jay Archibald" <jay.archibald@comcast.net> Date: Wed, 26 Oct 2005 16:35:20 -0400
In message <001801c5d372$27a11dd0$0212aa80@csw.l3com.com>, "Jay Archibald" writ
es:
>Here is a sample PENETRATION TESTING CONTRACT. This same contract is found
>in EC-Council's Ethical Hacker Course resource kit.
>
>http://www.pwcrack.com/penetration_contract.shtml
>
One problem with this contract: it does not state clearly the sorts of
actions the provider is allowed to perform, including what machines can
be attacked. This is not a trivial point. For example, suppose that
Department A within a company hires a penetration tester; the attack
goal is to obtain access to a login account within that department.
One very plausible way to do that is to hack a machine in Department B
that is used by someone in Department A, and get in from there. Is
that permissible or not? Before you answer, remember the Randal
Schwartz case.
More generically -- the laws against hacking bar *unauthorized* access
to computer systems. What is authorized in this case? Is breaking and
entering permitted? Do you have suitable evidence to show the local
prosecutor in case you're caught?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Julian M D: "Re: [fw-wiz] The Death Of A Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
