If we were still in a society where a persons word of honor still mattered then Lamo and Security companies could be lumped together.

Unfortunately we are in a world where if there is no legal (written, signed in triplicate with some blood, ok the blood is a little overboard and facetious) contract with several CYA provisions containing the limits to whih you will prope the security of the network you are hired to probe, then you can be held liable for all of your actions. This is especially true if you actually find items and embarass the company who you just took contract with. Include in the contract every tool and how it will affect the network and machines and get the company to sign off on it to CYA yourself.

Do I think this Lamo is doing the right thing, not really. He is definetely on the grayer side of the line, though he does his 'fixing' pro-bono when he finally does get around to letting the company know. There are many shades of grey, unfortunately the better PEN-testers I have met in the last ten years have been people that don't work well with authority and have a definite issue with corporate structure. Those that I have worked with/hired/met that have fit in corporate structuer 80% were basically script kiddies. Meaning if you showed them how the tool worked and what the output meant they'd interpret the results the way you told them to.

Sorry went off on a slight rant.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/595/16367#16367