In message <001801c5d372$27a11dd0$>, "Jay Archibald" writ
>Here is a sample PENETRATION TESTING CONTRACT. This same contract is found
>in EC-Council's Ethical Hacker Course resource kit.

One problem with this contract: it does not state clearly the sorts of
actions the provider is allowed to perform, including what machines can
be attacked. This is not a trivial point. For example, suppose that
Department A within a company hires a penetration tester; the attack
goal is to obtain access to a login account within that department.
One very plausible way to do that is to hack a machine in Department B
that is used by someone in Department A, and get in from there. Is
that permissible or not? Before you answer, remember the Randal
Schwartz case.

More generically -- the laws against hacking bar *unauthorized* access
to computer systems. What is authorized in this case? Is breaking and
entering permitted? Do you have suitable evidence to show the local
prosecutor in case you're caught?

--Steven M. Bellovin,

firewall-wizards mailing list