Writing Permission Forms for Network Analysis?

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

IANAL, but...

[Jester998]

IMHO, talk to a real lawyer. That way you can be sure the contract is legally binding, as well as probably closing up some legal loopholes that you might overlook yourself.

In situations where you might incur large amounts of liability, it's usually well worth the money to talk to a lawyer.

Re:IANAL, but...

[Gerry Gleason]

You could talk to a lawyer, but it's probably overkill. Write something up that describes generally what you will be working on, and how and why you are going to use snooping tools. Even without a non-disclosure agreement, you shouldn't reveal anything you accidentally find out, and only record and report on data that is related to work you are doing. Simple clear language, and having it acknowledged in writing by the client will make it easy to defend yourself if it comes to that. Of course, you don't want it to come to that, but the danger is really from politics. If you think the people you work for are challenging internal politics, and aren't completely in control of it, be very careful. Even then, as long as everyone knows what you are there for, and your work is outside of the very political, you should be fine.

I know

[The Bungi]

Buy a one-way plane ticket to Aruba and use it with alacrity.

--More Information---

[jredding]

I am NO LONGER a consultant so I do NOT have the legal protection that I used to have. My manager is aware of what I am doing but I worried about a higher up manager(s) that does not understand the workings of networks and labeling my work as "hacking" or "invasion of privacy".
I would also like to protect myself should my immediate manager be unavailable to stand up for me (ie. on vacation, changed jobs, etc. etc.).

Re:--More Information---

[ReverendRyan]

I would suggest that your current manager talk to the "higher-ups" and explain what you are doing RIGHT NOW. That way, confusion can be avoided later. After that is done, I would have a contract drawn up by lawyers (on both sides) so that you each understand exactally what is happening and exactally what is expected.

Good idea. Randall got burned.

[netringer]

Your caution is well founded.

Perl guru Randall Schwartz [stonehenge.com] was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. [lightlink.com] He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.

I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.

Re:Good idea. Randall got burned.

[kmellis]

Schwartz is a bad example. It's been a long time since I reviewed the details of this case, but IIRC, what he did was not in any sense what they were paying him to do. He did it from home, violating security procedures of which he was aware. He had as much business finding and using a security hole as any other person who isn't being paid to find such things--that being none. He broke the law.

Presumably, this guy is being hired to do work that is primarily, or includes, security related. He still should contact a lawyer and get all the wording right and loopholes closed; but even if he doesn't, anything he does do won't be comparable to what Schwartz did.

Re:Good idea. Randall got burned.

[Gerry Gleason]

He broke the law.

Maybe, but as far as I know he never 1) used the information against the company in any way, and 2) his intention was always to help them improve security. Yes, he was stupid for not getting some sort of permission to probe for security weaknesses, but the employer was much more stupid for how they treated him. A reprimand would have been more than sufficient. I would never want to work for a company that treated people that way, wrong or right.

From what I recall, I don't think he had done this from outside, but rather he had copies of the password files and cracking tools on his work machine. Maybe someone has a link to more specific information, but this is an important distinction.

SGI didn't appreciate the work of the guy who developed "Satan" either. Some people would rather not know about their security holes, then they might have to actually do something to fix them.

Re:Good idea. Randall got burned.

[FattMattP]

Randall Schwartz was criminally prosecuted because he accessed systems at Intel without authorization. What he did to get himself in trouble had nothing to do with what he was originally contracted to do. He cracked passwords to demonstrate to some other individuals that people were using weak passwords and should probably improve their security. No matter how noble his intentions were, he didn't have permission to access those systems nor was he employed to crack the passwords for any type of demonstration. Randal did something really stupid up and paid the price. The best you can do is learn from his mistake.

This is completely different from the story submitter who will have permission to test these networks but just wants a firm legal agreement in place before he performs any work.

Re:Good idea. Randall got burned.

[phaze3000]

Randal did something really stupid up and paid the price.

If working on ones own initiative to help a company you are employed by is something really stupid, I'd hate to work with you.

Re:Good idea. Randall got burned.

[FattMattP]

Then I guess you'd hate to work with me. Keep in mind that Randall wasn't an Intel employee. He was a contractor that was brought on to do a specific function. You're probably a student who hasn't entered the workforce yet (or hasn't been there for long) and don't realize that part of getting along with other people in a job is playing politics. I hate it and many other people do too. But if you are going to expose that someone's security isn't up to snuff, and you don't have some political backing to do so, then when it makes the person in charge of said security look bad, you can be sure that they're going to get back at you somehow.

Now if Randall had asked permission to do what he did and received the approval to do so, then that would have been a different story and he wouldn't be in the situation that he found himself in. But Randall didn't ask permission. He assumed authority and responsibility for something to which he was not given and got burned when he was caught.

In other words, Randal did something really stupid up and paid the price.

Don't just talk to a lawyer

[dbrutus]

Also talk to an insurance company. There might be some bonding or other insurance that covers the situation.

Something actually USEFUL to you

[Jeremiah Cornelius]

Jeesh, guys!

The guy is asking a question here!

You will find most of what you want to know at the SANS Reading Room [sans.org] site. This is an invaluable resource for your line of work.

SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.

Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR [sans.org].

This is in the Reading Room, under the section Penetration Testing [sans.org].

You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.

Re:Something actually USEFUL to you

[jredding]

Thank-you for the information, you posted the ONLY decent information. Lawyers are great but unless you find a good one there aren't usually technically adept. Having a rought draft of a document before I sit down with a lawyer will definitely help me.

Thanks.

Where?

[SN74S181]

Umm, maybe this sounds like a dumb question, but where are you plugging in to do this sniffing? You say you're no longer associated as a consultant with the company you were with before.

Are you plugging in at random somewhere? Whose wires are you planning on or presently tapping into?

Re:Where?

[smallfries]

Not really ;) It's quite a good question.
If you are contracting your services to them specifically to test their security then your contract that you draw up should include access to their network. Presumably you will be plugging in a box with AirSnort et al and they are supplying you with the data.

As somebody else mentioned above if you're unsure about drawing this up yourself then you should pay a lawyer some money as it isn't really that much hassle and will cover you from a lot more expense if it does go nasty.

If, on the other hand you're going to be running externally eg you're going to do intrusion testing from the internet to try and break their firewall or see if their servers are vulnerable, then the legal status is a lot more hazy. In this case I think that you'd definitely want to get a professional to write up a contract. Does anybody know the detail of that?

check the location bar.

[/dev/trash]

This is Slashdot not PrePaid Legal.