Slashdot Mirror

← Back to Stories (view on slashdot.org)

Writing Permission Forms for Network Analysis?

Posted by Cliff on from the covering-your-a dept.

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

3 of 21 comments (clear)

  1. Re:Good idea. Randall got burned. by FattMattP · · Score: 3, Interesting
    Randall Schwartz was criminally prosecuted because he accessed systems at Intel without authorization. What he did to get himself in trouble had nothing to do with what he was originally contracted to do. He cracked passwords to demonstrate to some other individuals that people were using weak passwords and should probably improve their security. No matter how noble his intentions were, he didn't have permission to access those systems nor was he employed to crack the passwords for any type of demonstration. Randal did something really stupid up and paid the price. The best you can do is learn from his mistake.

    This is completely different from the story submitter who will have permission to test these networks but just wants a firm legal agreement in place before he performs any work.

    --
    Prevent email address forgery. Publish SPF records for y
  2. Re:--More Information--- by ReverendRyan · · Score: 2, Interesting

    I would suggest that your current manager talk to the "higher-ups" and explain what you are doing RIGHT NOW. That way, confusion can be avoided later. After that is done, I would have a contract drawn up by lawyers (on both sides) so that you each understand exactally what is happening and exactally what is expected.

  3. Re:Good idea. Randall got burned. by FattMattP · · Score: 3, Interesting
    Then I guess you'd hate to work with me. Keep in mind that Randall wasn't an Intel employee. He was a contractor that was brought on to do a specific function. You're probably a student who hasn't entered the workforce yet (or hasn't been there for long) and don't realize that part of getting along with other people in a job is playing politics. I hate it and many other people do too. But if you are going to expose that someone's security isn't up to snuff, and you don't have some political backing to do so, then when it makes the person in charge of said security look bad, you can be sure that they're going to get back at you somehow.

    Now if Randall had asked permission to do what he did and received the approval to do so, then that would have been a different story and he wouldn't be in the situation that he found himself in. But Randall didn't ask permission. He assumed authority and responsibility for something to which he was not given and got burned when he was caught.

    In other words, Randal did something really stupid up and paid the price.

    --
    Prevent email address forgery. Publish SPF records for y