Results 1 to 5 of 5

Thread: Pentesting Ethics: Should I do it/ Is it legal?

Threaded View

  1. #1
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Pentesting Ethics: Should I do it/ Is it legal?

    This thread is a collection of posts from our old forum. There are always people who come by and have what they believe to be a vulnerable network, and feel the need to save the day. There are probably just as many different cases as there are answers for those cases. A Doctor's office that uses wep. An elderly woman who's network is open and broadcasting for the world to see.
    In this thread I will present one of those typical cases and the answers that were given. Ethics generally has different meanings to different people. As such this thread should not take the place of valid legal or professional advice.
    Feel free to add to this or use as a reference.

    QUOTE=sociopathichaze So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
    Should I post all the info I obtained?
    Should I email the Dean and explain why he should fire these idiots?
    Should I email everyone in the student/faculty directory telling them their data isn't safe?
    Should I do nothing and let their current security through obscurity model stand?
    Should I post this in a different forum where someone might care?
    Last edited by Archangel-Amael; 01-24-2010 at 12:46 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •