Re: Pentesters getting owned?

["Nexus" <nexus () patrol i-way co uk>]

----- Original Message ----- 
From: "Mordy Ovits" <movits () bloomberg com>
[snip]
> I saw a pen-test report that included the pen-tester's own machine in the
> report of vulnerable machines.

Hahahahahahahahahahahahahahahahahahaha *bonk* *roll*

That's class ;-)

Anyway, had a thought based on a comment made by "Chad Schieken"
<cschieken () yahoo com>
http://lists.immunitysec.com/pipermail/dailydave/2004-May/000537.html

> He had been embarrassed by them. The guy was a nut, but he kinda had them
by
> the balls cause, what were they gonna do, complain?

Maybe they could ?   When this happened to me I notified the client point of
contact and explained that the most it would do would be to slow me down,
which when you are paying by the hour is not the ideal suituation for a
client to find themselves in.   Werd was had from on high and things calmed
down without me having to lock the admins out of their own boxes ;-)
Extrapolating from this, what if something formal was in place ?
Prior to a test, the necessary paperwork passes back and forth to allow the
pen test to be conducted without breaching whatever laws are relevent for
your particular locale or bit of the Interweb - we all know this, but ever
seen one that turns it around and holds the client to a formal agreement not
to disrupt the test ?

Cheers.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave