in your agreement, followed by a statement absolving your team from unintentional problems,then, yes—congratulations—you’re accountable.Want another one you should think about? Try worrying about what actions your targettakes when they see you. If a network admin shuts everything down because he thinks they’reunder attack and that causesfill in the blank,are you at fault? You may be if you don’t have aclause that reads something like the following:The actions taken by the target in response to any detection of our activities are alsobeyond our control…What happens if a client decides they don’t want to accept that clause in the agreement?Well, since there’s absolutely no way to guarantee even the calmest of pen test tools andtechniques won’t alter or even destroy data or systems, my advice would be to run. Justbecause toolsets and techniques are designated passive in nature, and just because they aren’tdesigned to exploit or cause harm, don’t believe you can just fire away and not worry about it.And just as facts don’t care about feelings, tools don’t give a rip about your intent. Get youragreement in order first, then let your tools out on Spring Break.NOTEThe Computer Fraud and Abuse Act (1986) makes conspiracy to commit hacking acrime. Therefore, it’s important the ethical hacker get an ironclad agreement in placebefore evenattemptingbasic footprinting.While we’re on the subject of using websites to uncover information, don’t neglect theinnumerable options available to you—all of which are free and perfectly legal. Socialnetworking sites can provide all sorts of information. Sites such as LinkedIn(), where professionals build relationships with peers, can be a great place toprofile for attacks later. Facebook and Twitter are also great sources of information, especiallywhen the company has had layoffs or other personnel problems recently—disgruntled former
