CanSecWest hacking contest UPDATE (How did your OS fair?)

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

CanSecWest UPDATE

Laptop With Vista Attack Code Listed on eBay:

http://www.pcworld.com/article/id,14...l?tk=nl_dnxnws

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I will grant xor many of the points he's making... but i think that the key issue i have with the situation (as Chris pointed out) in addition to them taking that asshattery too far is the voided warranty due to hard disk removal.

nowadays, hard drives (at least on normal computers, i don't know about Macs... someone please correct me) are all in their own very nice and simple caddy which can be removed by popping off a plastic panel and taking out two to four screws. a monkey on acid could do that effectively.

i think that any company who will not protect your data properly should be obligated to let you remove the hard disk before any service is performed or else automatically win a spot in the fucktard hall of fame.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Chris also brings up some very valid privacy and responsibility concerns.

You are doing pen testing for a client which you have signed a rigorous NDA.

In the course of your pen testing you discover the worst kind of child pr0n. You are legally bound by your NDA, but morally and ethically bound to tell the authorities. There is also the business aspect, if you tell the authorities how will this hurt your practice?

What do you do?

xor

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I've never signed an NDA, but don't they normally define what can and cannot be disclosed? Meaning, you cannot disclose corporate secrets, but anything not defined is fair game.

Plus, when you issue your report, you could always state that you found kiddie porn on a certain machine and allow the company to deal with it.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Playing devils advocate here.

Suppose time goes by and the company chooses not to do anything about it. If you don't report it don't you then become an accessory after the fact?

Some crimes whether you are guilty or not a mere accusation is enough. Hope Thorn chimes in here.

xor

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

<yawns, scratches, sucks on coffee> Did someone mention my name?

It depends on the state. Although generally, I'd say that yes, if you have knowledge of a criminal act, and you fail to act on it in reasonable time, you may be charged with an accessory after the fact. "Reasonable" being the operative word. Jur1st can probably provide more interpretation on what's "reasonable" under most laws, but it usually comes down to what would the average Joe Citizen find to be reasonable.

It may also depend on the state's particular laws and the contract/NDA, and the details in those documents.

Frankly, my position would be that I'd advise the CEO, Board of Directors and company's Counsel, and give them a deadline to act or I would. Because otherwise that puts my butt on the line.

Child porn is pretty clear cut. What's more slippery is finding things that might not be quite as easily defined. Example: How about finding what appears to be a second set of books on the CFO's PC. Is it some sort SOX violation, or are the doing a conversion from one bookkeeping package to another, and haven't told you? Are you liable criminally if you have strong suspicions, only report it to the company and then watch them sit back and do nothing?

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Oddly enough, here's an article that's kind of along these lines.

http://www.cnsnews.com/ViewNation.as...20080402a.html

Granted, no NDA involved, but the employee was told by her supervisor not to report the crime.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

The easiest way to deal with this is before it becomes an issue. We put a clause in our Rules of Engagement that states that any illegal content will be reported to client management and the appropriate law enforcement agency. Both our team and the authorized client representatives (which usually includes a member of their legal team) sign these Rules of Engagement and therefore we are in the clear NDA wise if we discover illegal content on a target system and report it to law enforcement.

If you are doing pen test work and don't have a similar clause in your agreement you really should discuss it with your legal team and get it added. All the Rules of Engagement are is a big CYA document so you don't get fucked later.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Like I said, only the new MacBooks make it easy to swap a drive. The new MacBook Pros require removing the topcase (where the keyboard is) to get to the drive. In the old white iBooks you had to almost completely disassemble the machine.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Just to test out Apple, the next time I bring in my laptop I will see if I can get the employee's to remove the hard drive and hand it back to me before shipping it off.

I have talked to many of the people at the Apple store, and one customer that came in with a MacBook had his hard drive removed and they did not say anything about it what so ever, maybe he got hit with charges when he came to pick it up, I don't know.

Would be interesting to know.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I've sent in a couple hundred laptops into Apple with non-apple drives in them, they never said a thing.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

While there's plenty of people who would shout "personal anecdotes are not hard data" (and this would apply both ways in this scenario, actually) i think Chris' larger point pertains to stated policies more than specific company behavior.

It may be the case that 9 times out of 10 they turn their head and just service things for you anyway, but the fact that somewhere in black and white people are making ass-face assertions is a real pain, particularly when it can potentially come back to bite you. It's never easy getting a soulless, monolithic corporation to honor your requests for help under the best of conditions... it can be an even bigger headache when you've transgressed against the fine print, even if it was fine print that historically was ignored.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Not any more Chris. The latest update for iTunes installed Safari on my Windoze box at work.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Yup, iTunes tried to do that tonight to my wife's PC.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Yeah, I noticed that Apple's updater is now pushing Safari. I politely declined.