Also make sure the people who hire you actually own the system being tested.
Like if my neighbour hires some random to pentest my house for kicks, it doesnt make it ok for pentester to break into my house because they signed a contract with my neighbour
> Also make sure the people who hire you actually own the system being tested.
There's an ongoing political dispute in Iowa over the extent to which the court system controls court buildings. The courts maintain they have full control (and thus can legally authorise, eg, pen testing), and (perhaps unsurprisingly) they keep winning court cases about it.
Some of the criticism of Coalfire, DeMercurio, and Wynn was about how they were pentesting buildings their client did not control, but it's worth noting that this is 1) disputed and 2) almost certainly wrong (at least from a legal realism point of view).
It's worth emphasising, I think, how much this story had to do with jurisdictional fights between different branches and levels of the Iowa state government, and how little it had to do with Coalfire, DeMercurio, Wynn, or pentesting.
A huge part of this comes down to Coalfire having a good faith belief that they were acting on the lawful instructions of the rightful authority. Putting myself in their position, I honestly can't think of who I would ask for clarification if the judiciary says it's OK. If there was any hint of a legal question in advance, these are exactly the people you would be asking for a ruling. By seeking the contract, they effectively gave a ruling: this is OK for you to do.
I can't fathom how that wasn't the end of the conversation right there. "Who granted you permission to do this?" "A whole buildingful of judges." "Oh. Sorry, we'll take this up with them."
Seriously, stay out if politics are involved as a pentester, or even as an MSP.
We had a legal matter with a county commissioner requesting the MSP use an external harddrive to transfer documents for which the commissioner had no right to access.
I really wish people naturally had the habit to spell out their initialisms or acronyms the first time they use it in a post (if it is not used in previous posts), and then use that shorthand for the rest of the post.
I would even request that this be done even for something as obvious as DMV (Department of Motor Vehicles). Making this common practice removes the guess work of whether an initialism is sufficiently obvious enough to the average reader. For some media forms, I do not have the luxury to comment or ask the original poster to explain what an initialism stands for.
Trying to find out what an initialism stands for is even harder when you try to search for it on Google and many other versions of it exists in different contexts.
> I would even request that this be done even for something as obvious as DMV (Department of Motor Vehicles)
Literally a day or three ago I saw someone in a HN thread asking what "DMV" means, so yes, I strongly second that request. HN has an international userbase.
This was drilled into me from a very early age but I do have a habit of not being consistent with it. I often take for granted that there's those who don't have English as a first language and may not know the most common acronyms and initialism of WTF, AFK and otherwise. I'd have put MSP in that category and assumed it was more common.
Acronyms are more than just language specific. I live in England and many of my non-IT friends wouldn't know what AFK means. My mum wouldn't even know what WTF means. And I knew the former two (though it took me a second to remember AFK because it's not one I use personally) but hadn't heard of MSP before.
Sometimes it's not even just a case people not coming across acronyms before but rather those acronyms could be short for terms that aren't even used in other English-speaking countries (never mind non-English speaking). The DMV is a great example because in the UK they're called the DVLA.
It gets worse still because even people working in different industries in the same country might have come across different meanings for the same acronyms. For example I once worked with an ex-military officer who would get confused every time we'd talk about ISO (in terms of burning a Debian CD image) because he'd been used to the term used in a different context (I forget exactly what it meant to him but I think it was something to do with temporary buildings -- maybe someone else on here might know?)
So it should never be taken for granted that a "common" acronym is universally understood.
> And how can you and the parent comment bang on about it in this context and not think to spell it out?
>
> Pretty amusing!
The conversation wasn't about any context in relation to AFK (away from keyboard) but rather about the trouble with using acronyms. Not knowing what that acronym means doesn't alter the readability of the comment (in fact ironically it actually helps hammer home the point I was making).
This is also why I didn't spell out DVLA (UK Driver and Vehicle Licensing Agency) despite introducing a new acronym to the conversation; and why I did explain which "ISO" I was referring to because the context there did matter to explain my point.
This is a very important bit of insight. Thanks for this perspective. My comments about contractual protections aren't nearly as strong in light of this.
Depends, if the pentesters didn't ask for any proof that your neighbour owned and occupied the house then sure, the neighbour and the pentesters should be prosecuted.
But if your neighbour lied and falsified documents to the point reasonable due diligence would have been fooled, perhaps the pentesters can be considered not at fault?
> But if your neighbour lied and falsified documents to the point reasonable due diligence would have been fooled, perhaps the pentesters can be considered not at fault?
And here we end up back with irjustin's proposal that if pentesters are doing things that would be illegal without proper permission, they need to be prepared to spend some time in jail. Their risks there for which they need to be compensated include their own organisation failing in their due diligence and sending them into a test for which they're genuinely not legally authorised.
>And here we end up back with irjustin's proposal that if pentesters are doing things that would be illegal without proper permission, they need to be prepared to spend some time in jail.
This sounds very unreasonable once you start applying it to other actions in life. For example, picking up someone's kids so they can go on a play date with your own kids. That's kidnapping without permission. Should everyone who picks up another person's kids need to be prepared to spend time in jail for kidnapping?
This is an issue in schools today regarding after-school care and custody handoffs, with the liberty/efficiency-oriented people battling the law&
order/safety/think-of-the-children people. They both have valid perspectives, as is usually case in matters of statistically danger.
Yes. I don’t understand why this isn’t part of the game plan. I understand not informing the patrol level of the police dept, but I do t see how informing the admin above does. The deputy chief is not involved in the management of an enforcement patrol/stop.
Unless you're hired by the chief of police, that sounds very close to testing a system - the police - without the permission of the owner?
And there are safer ways to find the police's reaction time than having them turn up with guns drawn, finding signs of forced entry, and finding you - a non-employee - sneaking around with burglary tools.
For example, you could make a FOIA request for their internal records, ask a local journalist - or if you insist on a real-world test, have the alarm 'accidentally' tripped by a legitimate employee arriving for work early.
Like if my neighbour hires some random to pentest my house for kicks, it doesnt make it ok for pentester to break into my house because they signed a contract with my neighbour