[WEB SECURITY] security audit - how to avoid legal prosecution
Jay D. Dyson
jdyson at treachery.net
Wed Jun 8 11:41:52 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 8 Jun 2005, Maxim Kostioukov wrote:
> Would someone advise on how to approach in sense of legal agreements
> BEFORE doing any security research?
It's always a good idea to cover your butt when treading into
murky legal territory...and digital security research gets darker and
murkier by the minute these days.
> For example, one is doing penetration tests on web apps without a
> written agreement or even worse - without the other side to be aware of
> the test, then informs the side about findings (not disclosure them
If you have no agreement, then you are not doing "research" in the
eyes of the law; you are attacking. No matter how pure your motives or
what manner of disclosure you do, the drones at the Effa-Bee-Eye and the
local County Mounties will still treat you like you intentionally ran over
a nun. And don't think the courts will be any kinder.
Look at it this way: if I see my neighbor has a window on his
house that's always left half-open when he goes to work, I'm not entitled
to go over to his house, crawl through his window and prove what a bad
idea it is to leave one's window open in the name of "security research."
If the black & whites roll up while I'm thumbing through this guy's DVD
collection, you can bet my credibility for purity of motive isn't going to
have a receptive audience. Even though I didn't do anything violent to
get into the house and I didn't take anything, it's still Breaking and
Entering coupled with Burglary. Don't even bother proclaiming your
innocence. Everyone in jail is innocent...or so they say.
> Any chance for legal prosecution to be fired in case if the other side
> just would like to do this? I think it is possible... Any advice?
Here's your options:
1. Get a signed contract with the site's proprietors to
do a penetration test, or
2. Get a copy of the software they use, build your own and
have a rip-roarin' good time tearing it apart, or
3. Walk the other way and fugedaboudit.
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ | = |-'
`--' `--' `-- Pardon me, but am I on the right planet? --' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
-----END PGP SIGNATURE-----
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity