In message <001801c5d372$27a11dd0$0212aa80@csw.l3com.com>, "Jay Archibald" writ
es:
>Here is a sample PENETRATION TESTING CONTRACT. This same contract is found
>in EC-Council's Ethical Hacker Course resource kit.
>
>http://www.pwcrack.com/penetration_contract.shtml
>


One problem with this contract: it does not state clearly the sorts of
actions the provider is allowed to perform, including what machines can
be attacked. This is not a trivial point. For example, suppose that
Department A within a company hires a penetration tester; the attack
goal is to obtain access to a login account within that department.
One very plausible way to do that is to hack a machine in Department B
that is used by someone in Department A, and get in from there. Is
that permissible or not? Before you answer, remember the Randal
Schwartz case.

More generically -- the laws against hacking bar *unauthorized* access
to computer systems. What is authorized in this case? Is breaking and
entering permitted? Do you have suitable evidence to show the local
prosecutor in case you're caught?

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards