That's right - I'm not going to post about Apple's recent iPod malware incident, their (surprising) blaming of Microsoft for it, or Microsoft's subsequent blunt response. Surprise you? Yeah, me too. But I'm kind of late to the party; Kurt Wismer already wrote about it as did Ed Felten and Mike Rothman. What am I going to add that's new? Do I think it's unfortunate that the virus got distributed? Sure do, but it apparently didn't do much to Apple's incredible earnings so it's no skin off their nose. Do I think they were right in blaming Microsoft? No, I personally happen to think it's petty, but it is (as Mike indicated) in line with their general marketing message so I guess it's pretty much just another day at the office.
However, what I do find interesting is the fallout over the whole HP pretexting debacle. A colleague (thanks Dave) brought up a point that I hadn't really considered before; namely, to what degree are investigators (and auditors, assessors, pentesters, etc.) culpable for the actions they are hired to perform? Now it's one thing if those activities are illegal. But HP claims - and most PI's concur - that pretexting isn't entirely illegal (just dirty). Well, I guess that's more complicated than that - it is clearly illegal for financial records but HP didn't get financial records. It also may be illegal in California - and I guess we'll find out soon enough if it is. And from a broader angle, there are laws in the works for telephone records pretexting to be illegal, but they're not in place yet.
Now, stay with me on this... What if we assume for a minute that HP's right and the methods weren't illegal? But - hypothetically now - if I was a security auditor, and a company hired me to test their call centers against social engineering, that would be OK, right? Of if a company hires me to perform an "information gathering" activity such as a penetration test to see how susceptible they are to attack? Fine again, right? But what happens when that activity - the attack, or the social engineering, or whatever - is initiated at the highest levels of the firm (like the CEO) but was initiated by them for some sinister purpose (like spying on a board member)? Am I on the hook to ferret that out and refuse the job? Is it my job to understand the intent of the test?
In the case of HP, the waters are a little murky because the investigators were doing something that they can get sued for - but if this had been a sanctioned test (like HP trying to see how susceptible it was to corporate espionage by hiring people to dig up info on board members), it would have been "no harm, no foul," right? Cingular wouldn't be suing, it'd be just another day at the office for the investigators, and HP would have learned something about how corporate espionage applies to them. And that's exactly why this makes me nervous... Take pen-testing. Attacking a computer system is illegal, right? A pen-test (and tests like it) are attacks on computer systems, right? If someone in a firm contracts to initiate a pen-test (even if it's the CEO), it's generally accepted that they have the right to do that. But what if the CEO's shady and has nefarious intent? Do I go to jail if it turns out that the CEO isn't on the level? Wow, that's not cool... Now, I'm not saying that the investigators in the HP case should be gaining information in a shady way - that not cool either. But I will say that I think the HP execs are the ones we should be nailing to the wall - not the investigators. But that's just my two cents.
Posted by Ed at October 19, 2006 10:18 AM | TrackBack