Hi, the new version of the OSSTMM (2.0) at www.osstmm.org/download.htm has a section in the appendix about the legalities in various countries about pen-testing-- invited and uninvited.
Sincerely, -pete. -----Original Message----- From: Paul Hosking [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 08:15 AM To: Billy D Walls Cc: [EMAIL PROTECTED] Subject: Re: A question on the law. I am not a lawyer. I have no legal background. This is not legal advice. This is my personal opinion based on personal experience and observation within various Infosec activities in Corporate and US Government environments. And its cynical. You have been warned. :) On Fri, 2002-02-22 at 21:54, Billy D Walls wrote: > networks bandwidth free of charge, is there a way LEGALLY to tell these > people how bad the security is without getting shot. I don't want to go to > jail, I don't want to be called a terrorist, I just want to tune these > people into a clue...? In the perfect world, dropping a quick email to the network owners alerting them of their vulnerability would be enough. You would get a polite thank-you. Maybe a request for more information. You would feel happy that you helped and they would be better off for your help. Enter the real world. Your notification will cause confusion within the IT ranks. Decision Makers will be asking about "evil hackers" managing to "hack the network" despite the expensive firewalls and anti-virus software. Managers will go in to CYA mode. It will be decided "something must be done" although its very possible nobody will understand the technical issues involved. Someone will mention knowing an agent at the FBI. You will become the focus of a criminal investigation. In short, its possible your warning will be well received. But it is more likely that you will be punnished for your effort. Your gain probably does not justify your risk if you came forward with this information. Infosec has a number of tenets. For those who are interested in infosec, the most important may very well be "before you test any organization's information security posture, you should have WRITTEN permission to do so." This comes from an ongoing history of individuals being prosecuted for minor infractions in the name of computer security. One of the most famous of such cases is Randal Schwartz: http://www.lightlink.com/spacenka/fors/ http://www.rahul.net/jeffrey/ovs/ -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec . 408.829.9402 .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9