Mark Rasch, 2003-06-16
A few odd cases show that you don't have be a digital desparado to be accused of a cybercrime... particularly if you embarrass the wrong bureaucrats.
Colapse all |
Post comment
Bad Raps for Non-Hacks
2003-06-16
blacklight
blacklight
I have two years' worth of experience with penetration testing and vulnerability assessments for a company doing just that until it went of business, and I fully concur with Mr. Rash's advice: CYA!
There are several solid business reasons why:
(1) Doing unauthorized scans of systems makes as ...
[ more ] [ reply ]
There are several solid business reasons why:
(1) Doing unauthorized scans of systems makes as ...
[ more ] [ reply ]
Pen-testing own (hosted) domain
2003-06-17
Andy (1 replies)
Andy (1 replies)
so how do you go about pentesting your own domain hosted on someone elses server? Its pretty important to ensure that your site is safe from the script kiddies, but at the same time you don't want to get your domain/website pulled just because you tested it for vulnerabilities! Regarding alice next ...
[ more ] [ reply ]
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-17
Anonymous (3 replies)
Anonymous (3 replies)
blacklight makes many good points.
As a former pen-tester of five years (I work as in-house coporate security now) I agree with many of blacklights statements.
I also have to make a statement of whomever in the security industry did not see these scenarios coming three years ago (or even as mu...
[ more ] [ reply ]
As a former pen-tester of five years (I work as in-house coporate security now) I agree with many of blacklights statements.
I also have to make a statement of whomever in the security industry did not see these scenarios coming three years ago (or even as mu...
[ more ] [ reply ]
Inadvertent Straying While Pen Testing
2003-06-17
Mark Rasch (1 replies)
Mark Rasch (1 replies)
If you inadvertently go beyond the range of IP adresses you intend to test (e.g., mistype an IP address) you are likely not CRIMINALLY liable, as the statute requires intentional access without authorization -- but this presupposses that the prosecutor believes you when you tell him it was an accide...
[ more ] [ reply ]
[ more ] [ reply ]
Inadvertent Straying While Pen Testing
2003-06-23
Anonymous
Anonymous
Marc, in your latest message you bring up a very good anaology. The idea of a car not being locked is a good point. If I'm in the car with you and happen to notice your car not locked as you head to your local retail outlet, I say, hey, your car door is unlocked!.
You turn and say it's locked, I ...
[ more ] [ reply ]
You turn and say it's locked, I ...
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-19
blacklight
blacklight
Thanks for the compliment.
I will add that them short-sighted idiots happen to be the ones who have the ultimate authority to approve the expenditures that pay your bills and mine as security people. The world can be cruel, ugly and unfair in that way, but that's the way things are.
You are r...
[ more ] [ reply ]
I will add that them short-sighted idiots happen to be the ones who have the ultimate authority to approve the expenditures that pay your bills and mine as security people. The world can be cruel, ugly and unfair in that way, but that's the way things are.
You are r...
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-19
Elc0chin0 (1 replies)
Elc0chin0 (1 replies)
I have a problem with the "get it in writing" people. To me this is as dumb as it gets. Let me ask you one question about Penetration testing then let me give you an analogy.
Does a hacker send you a "letter of intent"?
Analogy:
If you work in a building where physical security is required an...
[ more ] [ reply ]
Does a hacker send you a "letter of intent"?
Analogy:
If you work in a building where physical security is required an...
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-23
Ferg (1 replies)
Ferg (1 replies)
You have hit the nail on the head. Any effective penetration test needs to be done without the knowledge of the staff whose equipment is being tested. I can see the network admin now - "Looks like we're getting a VA done over the weekend so I'll turn off my UT2003 server and close the gaping holes i...
[ more ] [ reply ]
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-24
blacklight
blacklight
"I suggest we look to the PWCs and KPMGs of this world to see how they go about their business when auditing. No need to reinvent the wheel."
I don't know. Arthur Andersen was advertising a course on how to deal successfully with regulators roughly at the time they were convicted of obstruction ...
[ more ] [ reply ]
I don't know. Arthur Andersen was advertising a course on how to deal successfully with regulators roughly at the time they were convicted of obstruction ...
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-18
Elc0chin0
Elc0chin0
It was refreshing to finally read about others who have suffered my same plight. Ignorant bureaucrats defending their arrogant lack of understanding of the technology they use by exploiting the vary laws that should protect us.
In 2000 I had been working with the Office of Inspector General as a...
[ more ] [ reply ]
In 2000 I had been working with the Office of Inspector General as a...
[ more ] [ reply ]
Bad Raps for Non-Hacks
2003-06-20
Hamster1
Hamster1
Elc0chin0; You have my sympathy. I never thought that people in the security field, would have such a hard time just doing their job. Especially someone who has the expertise and certification that you have. It seems that we all have to study law, as well as network security, just to protect ourselv...
[ more ] [ reply ]
[ more ] [ reply ]
But what if you do a WiFi-drive-by test on Bob's network (with permission) and Alice's network next door is vulnerable too? Alice never ...
[ more ] [ reply ]