Hi,
the new version of the OSSTMM (2.0) at www.osstmm.org/download.htm has a
section in the appendix about the legalities in various countries about
pen-testing-- invited and uninvited.

Sincerely,
-pete.


-----Original Message-----
From: Paul Hosking [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 27, 2002 08:15 AM
To: Billy D Walls
Cc: [EMAIL PROTECTED]
Subject: Re: A question on the law.


I am not a lawyer.  I have no legal background.  This is not legal
advice.  This is my personal opinion based on personal experience and
observation within various Infosec activities in Corporate and US
Government environments.  And its cynical.  You have been warned. :)

On Fri, 2002-02-22 at 21:54, Billy D Walls wrote:

> networks bandwidth free of charge, is there a way LEGALLY to tell these
> people how bad the security is without getting shot.  I don't want to go
to
> jail, I don't want to be called a terrorist, I just want to tune these
> people into a clue...?

In the perfect world, dropping a quick email to the network owners
alerting them of their vulnerability would be enough.  You would get a
polite thank-you.  Maybe a request for more information.  You would feel
happy that you helped and they would be better off for your help.

Enter the real world.

Your notification will cause confusion within the IT ranks.  Decision
Makers will be asking about "evil hackers" managing to "hack the
network" despite the expensive firewalls and anti-virus software.
Managers will go in to CYA mode.  It will be decided "something must be
done" although its very possible nobody will understand the technical
issues involved.  Someone will mention knowing an agent at the FBI.  You
will become the focus of a criminal investigation.

In short, its possible your warning will be well received.  But it is
more likely that you will be punnished for your effort.  Your gain
probably does not justify your risk if you came forward with this
information.

Infosec has a number of tenets.  For those who are interested in
infosec, the most important may very well be "before you test any
organization's information security posture, you should have WRITTEN
permission to do so."  This comes from an ongoing history of individuals
being prosecuted for minor infractions in the name of computer
security.  One of the most famous of such cases is Randal Schwartz:

http://www.lightlink.com/spacenka/fors/
http://www.rahul.net/jeffrey/ovs/

--

.: Paul Hosking . [EMAIL PROTECTED]
.: InfoSec      . 408.829.9402

.: PGP KeyID: 0x42F93AE9
.: 7B86 4F79 E496 2775 7945  FA81 8D94 196D 42F9 3AE9


Reply via email to