RE: The legal / illegal line?

["Craig Wright" <cwright () bdosyd com au>]

Dotzero is correct, you can point out concerns to the party you have
contracted to and have them ask the third party to do something, or stay
away.

Worse still, in many common law juristictions (inc the US, UK, Au etc)
you may be breaking the law further by not freely giving any information
on the scan to the third party (tp). First there is no contract with the
TP to cover you for any damages (and scans can cause hosts to crash =
damage).

Next, you have no implied or explict license to engage in the action,
thus a breach of the TP's rights.

Thus if you call them after the even stating something along the lines
of "I have scanned your system and discovered vulnerability X, I will
send you the report for $1,000" for instance, you could be held to have
committed extortion. Where the TP exchanges money for the report, not
only have you handed them proof of the action, but this is now
blackmail.

Next, consideration can not pass after the event in a contract. Thus if
the party pays you, even where there is no criminal liability, they can
bring suit to regain the payment from you in that there was no valid
contract and the payment may be revoked.

People and firms have a legal right to ignorance. As much as we may want
to change this, they have the right to live in their own stupidity and
bare their own risk. You do not have the right to make them agree with
you - even if you are right.

Regards,
Craig

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dotzero
Sent: Tuesday, 6 March 2007 6:52 AM
To: pen-test () securityfocus com
Subject: Re: The legal / illegal line?

The original question from Barry was about legal vs illegal. There is
only one (IMHO) answer to that question. It depends on jurisdiction.
The laws that apply in one jurisdiction may not apply in another.

I'm also concerned about Barry asking about when others "approach a
client" to tell them about their insecurities following a "simple
pen-test".. They are NOT your client unless they have engaged you.
They are a potential client. They have no relationship with you and
you have not been authorized by them to do anything on their behalf.
Even if you haven't done anything illegal, most companies I'm familiar
with would be unlikely to hire you or your company under such
circumstances. The actions you describe are indicative of a failure to
recognize appropriate boundaries.

A more reasonable approach (and one more likely to attract business)
would be to have your sales people pitch a free security assessment.
Have a standard agreement authorizing a standard but limited set of
activities that you can then use to show a potential client how they
might benefit from your services.

As usual, just my 2 cents.

dotzero

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------