Another good idea is to REALLY verify that you are hitting the right IP
owned by the organization. Small shops sometimes don't know their own
subnet or IP addresses, so try to verify by looking at a router config
or whois lookup. That way you don't whack the wrong victim and get
liability from someone you *didn't* get a CYA letter from. Could really
put a damper on all that altruism :)
P.S. For Pete's sakes, people, don't send out of office replies to a
listserve. Every time I send an email to this list I get about 30 of
those suckers. Geesh
Mark Lachniet
-----Original Message-----
From: Matt Bellizzi [mailto:matt.bellizzi@nokia.com]
Sent: Wednesday, December 15, 2004 2:21 PM
Cc: pen-test@securityfocus.com
Subject: Re: Volunteer pen testing
Thanks for responding everyone. Well it looks like there
are two camps
here. The first group mostly objects to the liability to me. The
second thinks it's a good idea. It looks like I should seek
some legal
advice. Luckily my company offers that as a benefit. Or
I'm sure I
could probably find a lawyer to do it pro-bono. Looks like
I'll need
a NDA for me, a letter of intent and a agree to hold harmless for my
client. If someone out there has some boiler plate examples
of these I
would love to see em. A couple of other issues were also
brought to my
attention. Like What is the scope of the pen test? Also
what happens after the pen-test? And finally who to call if
I DOS something. Off the top of my head. The scope of the
pen-test is Dependant on the client's network. The actions
after the pentest depends on if they staff or not. As for
crashing machines....I'm thinking that before even attempting
to test I would have to meet with the whomever they have on
staff and co-ordinate off times for testing and contact numbers. I
would also not run actually dos exploits. This might not be
considered a pen-test but, I still think it might be useful
and/or fun.
