The Difference Between a Hero and a Criminal
The only difference between a Black Hat hacker and a White Hat hacker is permission. Without written permission, you are committing a felony.
1. The Law
- CFAA (Computer Fraud and Abuse Act): The primary US federal law criminalizing access to computers without authorization.
- DMCA (Digital Millennium Copyright Act): Often used to penalize researchers who bypass DRM, though exceptions exist for security research.
2. Rules of Engagement (RoE)
Before touching a keyboard, you must define the contract.
- Scope: What are we allowed to attack? (e.g., "Only the IP 1.2.3.4", "Do not attack the Payroll Server").
- Timing: When can we attack? (e.g., "Only between 9 PM and 5 AM").
- Emergency Contact: Who do we call if we accidentally crash the website?
3. The "Get Out of Jail Free" Card
You must have a signed **Letter of Authorization** on company letterhead. If the police show up, this piece of paper is your only defense.
🔬 Lab Exercise: Drafting Scope
Scenario: You are hired to pentest "Messink Corp".
Draft an Authorization Letter that includes:
- The precise IP addresses allowed.
- A clause stating that Denial of Service (DoS) attacks are forbidden.
- Signatures from both the Tester and the CEO.