Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pentester convicted..
From: Phoebe Tunstall <foibey () gmail com>
Date: Fri, 12 May 2006 20:52:18 +0100

Hash: SHA1

On Fri, 12 May 2006 13:55:03 -0400
Karyn Pichnarczyk <karyn () sandstorm net> wrote:

Therefore, the Actual Damage is the re-evaluation of all systems, and
verification of all data on those compromised systems, to ensure that
the company's data has not been twiddled with/changed/modified.

I wouldn't argue that what the people mentioned in the articles did was ethical (or particularly sane). However, surely 
once a critical flaw like that is discovered at all the data accessed must be considered potentially-compromised, 
whether the flaw was discovered by someone who had permission to look or not. The data was available relatively easily 
to anyone who took a look. There's a good possibility that there have already been intruders who weren't so gracious as 
to identify themselves. The intruder who identifies themselves is not responsible for this "damage", as the damage 
exists with or without them. I think the actual damage you refer to is just logical phallacy to cover the issue that a 
piece of critical technology is seriously flawed. An intruder who does nothing to a company but inform them of a 
security flaw doesn't hurt the company, as the problem was there before they arrived.
A defense of "I didn't do anything" does not lead much credence to
a criminal's testimony.

No, but identifying yourself as the perp does in a few legal systems.
Version: GnuPG v1.4.2 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]