Contracts, How do they work?

so I apologize in advance for the ICP theme as I said it amused me greatly at the time and then I realized that there's a problem because it's clowns and as we all know clowns are truly the biggest the biggest threat facing America nowadays so who am i and the disclaimer I'm a security professional by day x pentester disassembler of things evaluator of risk now I seem to be in that management consulting role where I try to convince people that security might not be a bad thing but not in a beat them up kind of way I'm no longer saying no I say let's figure out a better way are as my boss likes to call it

solutioning your problem space I say that with a straight face because I am this far from getting a consultant as [ __ ] neck tattoo I'm not speaking for my employer especially if I still have one after the end of this talk I'm also a lawyer I advise my fellow security professionals I see a lot of contracts generally people send me employment contract statements of work master service agreements of what not it could be their entry-level pen testers trying to go r is my company trying to screw me they can be veterans who are hey I've been doing this for a while and I want to license some technology to somebody are they trying to screw me and I get to get

a really good like mirror I get to have a really good visibility into our industry by doing that and there's nothing as creepy as me saying to somebody at a conference through there like the chief count their counsel for large shop like man like like fire I let's go yeah read a bunch of your contracts and like how did you see them like because I'm the guy who doesn't say no I write a lot of contracts even though my day job is doing security I get the job of writing statements of work a lot because well I'm a lawyer I am NOT a juggalo as i said the stroke was funny at some point i think we've hit that

point so what our contracts their formal promises they clarify terms that we're agreeing to they define satisfaction of promises and I know that sounds strange but I promise to do this thing well how do we know when we're done right simple contract I will sell you my car for five thousand dollars well how do I know that we're done you have my car I have five thousand dollars were there other promises entailed in this in this conversation did I promise something else did that go away during our negotiations because if you've ever sold especially if you sell consulting services you know how you talk about a lot of things and then you send them that you send them a proposal and they

go I really like the proposal except for one thing it's too expensive can we can we can we do something different and the next thing you know you've cut a bunch of stuff and they still think they're getting what you originally proposed and that doesn't work so the point of a contract is to lock it down and formalize it and say yeah at one point we talked about that at one point we talked about a five course dinner you're getting half of a Big Mac because we're paint you're paying one-tenth of what we originally what we originally talked about so the purpose of a contract is to is to base is to lay all that out in such a

way that it's formal so that way at the end no one's going but I think you owe me this it's how you assign risks of unknowns who here has ever knocked over a system during a pen test I'm the only person who puts up their hand and amidst that like oh yeah did you need bns that shop yeah who's responsible like who's responsible that actually causes business damage in your country you've got some like while will attend to not break everything we touch if we do we're not responsible for it like we're responsible but we're going to help you fix it maybe but if we cause you business losses it's not on us let you be in your contract it's the intent

to be bound it's a promise that is enforceable so kinds of contracts there's unilateral which is a promise for performance the first person who gives me ten bucks will get this role of this roll of tape it's it's one promise and performance so the first person asked me ten bucks gets the tape then there's bilateral which is a promise for a promise if spiff rogue just says hey I've got ten bucks i'll give it to you for that tape well he's now he's not offering ten bucks he's offering a promise to give me ten bucks and for some people that's the same as ten bucks for other people it's dramatically different it's substantially less valuable but and then there's

quasi-contract there are things that aren't contracts that still kind of bind people we have promissory estoppel which is a fancy way of saying I relied on your promise and then there's detrimental reliance which is I relied stupidly on something you said like I relied on your validation that this company was handling pci data correctly and therefore I is a bank and suing even though i have no contract with a certain qsa I'm suing them anyway so basic requirements a contract are questions of a contract is was there a promise did someone actually promise to do a thing exactly what was promised and then was their consideration consideration is value I promise you a thing for a thing both of

those promises may have some value but there has to be something in value and something of at least minimal value oftentimes contract textbooks will talk about one single peppercorn or a penny or a dollar doesn't have to have significant value just has to have some value promised itself is consideration in a bilateral contract it's a promise to do something or not do something is consideration however what is in consideration is promising to do something you already oh now when I said I'll give someone this roll of tape and I don't they give me ten bucks like don't give them the tape and I say well and for another contract if you're next or two bucks will give

you the tape no I already owed you the tape so that isn't consideration for that second contract and then the questions are was the performance actually done we promised something did you get back so breach of contract is when you didn't get what you expected to get I failed to perform as agreed and there's two kinds of breaches there's material which is the thing that I haven't done is so core to the agreement like I'm going to pay you for a penetration test well the penetration test is probably material to the contract and the payment is probably material to the contract something like it will get delivered on a certain day may or may not be material

right a late pentest report may be as good as a not late pen test report but not getting paid its material and the importance of material breach versus in material breach is what it allows you to do if it's a material breach the other side the innocent side gets to say nope I'm out I don't care if the contract said I am withdrawing I'm going to do other things now a non material breach say for example I promise in my contract that I will provide a pen castrum from give you a report and the report will be confidently written and instead I subcontract that out to someone who's like half littering so it's a pen test

there's a report and it's just badly written you might if you want to make that into your like your customer facing letter you may say I have to rewrite this it cost me an extra five hundred dollars or a thousand dollars to rewrite your your bad performance so while it's not a material breach I can likely get some compensation for that screw up so damages when there is a breach of contract there's expectation if you had done what you said you were going to do I was going to expect this and I can I can be made whole by saying say for example i was going to resell this product on so i buy it from you for

five thousand dollars i have a buyer who's going to pay seven you don't deliver it to me so i can't deliver it on to my buyer i was expecting two thousand dollars prize two thousand dollars profit i can sue you for the two thousand dollars i was expecting that 2 grand had everything gone as planned I would be 2 grand richer that's expectation sometimes we might not know what that value is so we put it in the contract and say liquidated damages if this goes wrong you owe me a thousand bucks because I we can't calculate what I'm out really so just it will just write it now as a thousand bucks and then another concept of breach of

contract is mitigation if I know that you're not going to uphold your end of the bargain or you don't uphold your end of the bargain I have a duty to attempt to minimize my damages usually this is often done in employment contracts I hire you to do a thing we don't start because reasons and you go well I was contracted to go do this work for you for two weeks but nothing happened and I didn't find any other work so I pretty much spent two weeks on reddit eating eating nothing but Cheetos no you to minimize your losses you should have done things like go out and find other work you should have mitigated your damages as opposed

to the job that didn't materialize and then there's anticipate Ori breach which allows me to say you have made no attempts to perform under this and because of your ineffective are non-existent attempts to perform under this I think you're not going you cannot finish you cannot actually perform it's like usually this is often brought in as things like contracting you said you're going to paint my house and it was going to be done by the end of October it's halfway through October and you haven't shown up you haven't even asked me what color paint to use you can't possibly complete it in time unpacking out because you I am anticipating that you're going to breach

I'm out and then there is two other concepts called waiver and latches which is in the performance of the contract there are certain ways that one side does not make does not fulfill all the needs and the other side doesn't care enough to call it out we call that waiver where say for example you promise something to be done on a certain date it shows up two days later if I don't if I don't call that out if I don't say when I was two days late that's that's a problem if we keep on doing it where it's always two days late eventually i'm not able to say oh yeah six weeks ago that was two

days late i'm not paying because we've waived it I've been called it out I haven't said anything so before I start talking about actual kinds of contracts I want to point out that getting clever with contracts is not always a good idea a lot of people ask me to write really just nasty contracts with ugly penalty clauses and the like and I try to school them not to because unfair one-sided contracts don't help anybody for this reason and i'm going to give an example like hiding terms under other headers if you read a contract it usually has a header for each section so that way we're going to talk like non-disclosure you may not disclose

anything you learn under this because it's important to us thank you if you hide another clause in that header like non-disclosure and assignment of intellectual property because you're going to breeze through and go oh yeah non-disclosure non-disclosures non-disclosure don't care but if you hide something else you're being a dick and it means that if you're willing if you're willing to do that in the contract first thing you see when we're actually talking about going from a sales pitch remember sales pitches everything is wonderful right everyone is on their best behavior it's like dating but you want to have one hint about what is this person like when things are more settled are they going to be a horrible horrible person

and the contract is the first time you can see what are these people actually going to be like when things get a little it see ya over brought assigning of unrelated rights I've seen this in a bunch of contracts like all intellectual property you've ever developed his arse like no I probably walked in with a cup you know a couple of inventions that that was that was made on my time or a previous employers time not yours cannot has but you look for that you'll like wait a minute you want that you're going to be a pain in the ass to work with and the takeaway I have is this is the first time you get to see how the working

relationships going to work if they're going to be a pain in the ass now four weeks into this they're going to be horrible and sometimes you take a look at their contract and you go this tells me bad things about you you're going to be a pain you're going to try to screw me and I'm thinking of a few friends who are dealing with this where someone sold them some you know someone brought them in to do some work and everything was cool they did the work and then it was like yes we'd like to be paid we'd like to be paid our expenses for this and the person who brought the men's like uh yeah about that

things and some people require the threat of a lawsuit to pay up some people won't pay even after the suits been settled you know the Donald Trump argument like yes screw you know I may provide you may provide the services I'm not paying you until you make me and the problem is is that if you know going in when you see the contract as being very one-sided means they're planning on screwing you and it makes sense to say maybe I should hold off maybe I should renegotiate the contract or if you are you know thankfully in our industry where there might be another contract just waiting to happy you go nope not doing business with you maybe you should

try to find someone more desperate so getting clever the contracts continue these are ways of being clever with contracts that are actually helpful and I call this acceptable cleverness the brown Eminem clause those of you who are under the age of 35 there was once a band called van Halen and what makes them important is that they were one of the first big arena rock shows prior to them even Big Show's might be all their equipment might fit in two or three 18-wheel trucks Van Halen's show was like 15 18 wheel trucks and they required certain engineering capabilities for the building as they and it has to hold this much weight we need this much power we

need this much crew and constant promoters sleazy creatures that they are we're just signed whatever contract and there's a case where that Hale and stage show actually damaged the property because it wasn't built to hold the weight so David Lee Roth the lead singer comes up the idea of in this contract and the contract rider is like 85 pages because it's also all the specs like here's where the power has to be here's how the lights have to get set up here's this this this and this and they put a clause in that said there will be a bowl of M&MS in the dressing room there will be no brown M&MS in that bowl and

many people when first seeing this go oh god it's just like rock-star pretentiousness instead it's a very very quick way of determining whether or not you actually read the requirements and are producing something that I can work with right David Lee Roth can't run you know he can't have its own crew go and check power you can't check the engineering of engineering specs on the building but it's really easy to go no brown M&MS they read the contract I'm a fan of the tech version of that the RFC 1149 requirements for any network gear some of you laugh some of you should look it up its IP over avian carrier and there is nothing like putting that in a

requirement to see what happens because you get a sales guy was like oh of course it's RFC 1149 compliant there's a sales engineer going he's it at you I the guy who is we're trying to sell this to is clearly an [ __ ] he's smiling and I don't like it I don't know why and you watch the sales engine going I'll get back to you on that actually did that parade I was a tape a robot tape library and it's like is it RFC 1149 and the sales guy was like course it is and part of the job no I would just get back because he's asking us we had some other requirements we wanted as well they would ago of

course it's firewire compatible it's cozy sup firewire so make it make sure everybody's actually read like if you have specific weird requirements like you have a union requirement for for your prevailing wage or you've got nationality requirement you can't have any non-americans on the contract or something like that you want to make sure that they've read that weirdo requirement now instead of going three weeks then were like oh did you mean that yeah yeah you did so quickly do something that should make them laugh

that's common it's very common to see recycled contract languages especially in this industry I've read my favorite is one that i got from someone in the community was like i'm trying to sell services to a midsize company in in the space and i read the contract like are these guys hooked up with yahoo because all sometimes the contract specifies saying the company other times it specifies y'all I'm like are they yahoo subsidiary and like we're like I don't know why why you know yahoo has a subsidiary in allentown I don't know and then we finally asked the opposing counsel and it's like oh yeah we just took the boilerplate from Yahoo's terms of service like have you heard of find and

replace I would just recommend that i found it like he build he built his clients in like twenty eight thousand dollars to write that contract like I'm in the wrong business so other things you do with contracts is hedging risk indemnification in the case of say for example you're doing your operating is like a qsa or your operating is an auditor and you audit a system you audit accompany you audit you audit and application they may ask you to say if you certify it as good or you you identify the flaws and we fix all those flaws and it still gets breached and it causes us damage we want you to cover our costs that's

indemnification this can be dangerous especially if you're a small shop hold harmless is this is a slightly less painful version of this which just says you won't sue me for this oftentimes I put I try to put this in pen test contracts that I right where it's you will hold us harmless for our activities in scope if we if we if we knock over a system that you told us to test and instead of us getting shell we just dropped it you can't sue us for it will do every attempt to you know usually when I've language it says something like we we will do everything we can to not break it but if we do you can't go after us

for it liquidated damages I don't know what my losses maybe but let's set them now if this happens you pay me X instead of how us having to have later discussions about it a limitation on damages even if I break everything let's limit it at five hundred dollars or ten thousand dollars or whatever you're willing to whatever the two sides are willing to agree to but it's a hedging of the risk I don't know what the damages may be let's set them we can just fix them with liquidated damages we can cap them with a limitation clause and this snags so many shops somewhere in that contract you agree to follow missed 853 or 171 are you you

attest to being ISO 27001 and it's always hidden there the amount of ones I've read that have crazy requirements like you're both FedRAMP and PCI requirements for a shop that writes software that doesn't touch payment card are federally mandated data but they'll put that requirement in there it's a way of me if I'm right in contract hedging that you may lose my data you'll fit these that meet these requirements usually will also pen in an audit clause that allows me to check to make sure you're doing that this is more common in a something as a service market but it's something there other clauses you'll see in contracts or how do we handle an eventual dispute we

may have a choice of law any dispute under this happens under the laws of Delaware or some other state you just pick one that you you think you know how it's going to go out that way there's no surprises you can do a choice of venue to prevent say for example i am a pennsylvania corporation you ate of a colorado company hires me I say choices venue is Pennsylvania so that way I don't have to go to Colorado if this goes sour arbitration and mediation clauses oftentimes you'll see these in there to essentially require some step before actual actual court litigation oftentimes though these are one sided one side will require arbitration but not bind themselves to arbitration if

they choose to initiate it other things like control of information and these are his concepts you'll see there the non-disclosure agreement all information you gain under this stays with you you don't publish it you don't use it non-disparagement no matter what happens during this engagement you will not talk [ __ ] about us ever restrictions on internal use how you will be holding our sensitive information it only stays with within your practice area it only stays within named employees I've seen this a lot when you're talking like large consulting companies where say like Deloitte we may you may say well I only want the following enter the following practice group to be able to see any of

the information that we're giving you we don't want this to go to everyone at deloitte restrictions and reuse and marketing I should be seeing more of this where you grant rights about your marketing persona say example and I've seen this in the field where like a network manufacturer says we've just sold you a million dollars of equipment to solve a problem we would like to be able to use your name and your logo for our next pitch are for marketing materials the problem is is that how many people have ever done really good open source in open source intelligent using marketing white papers I know I have there's nothing like showing someone the network map of their

their SCADA environment by showing a vendor presentation on it no like that's that's the only secret information like no google gave me that because the vendors die vault that here's a picture of your network map in a vendor in a vendor of presentation so it's a way of controlling information you're giving assignment of intellectual property if you develop any intellectual property under this contract whose is it

so you have like work-for-hire where any intellectual property you create while you're working for us is ours we paid you it's ours so how to interpret contracts there's ambiguity I don't know what that term means and you look for defined terms in me in that or the related contracts if you have multiple contracts if you've defined the term you can use the customary definition in the trade or business I have seen some shops that will try to bend this as in a certain large information security vendor that believes that a koala scan plus manual verification is a penetration test that is in their language if you actually want someone to get shell on your system

or to pivot that is the advanced penetration test so but that's in their contracts and they're like 60 page contracts so the only people reading them are lawyers who might not get the night might not immediately sneer at that so yep so if we don't have to find terms in the contract if we're not clear on the customary definition the court will often just say whatever's commercially reasonable interpretation of what that term is so that's are they background on contracts half hour contracts for a course it's usually a whole year in law school so contracts that affect us employment we all like being employed usually employment contracts while the non-disclosure clause a nondisclosure agreement I will not reveal what I have

learned here usually limited to things like sensitive business information the plans proposed to technology trade secrets and other sensitive information you have obtained during your employment a non-compete after working from here you will not attempt to hire people for a certain amount of time you will not go to the people you supported if you are in a consulting field and go try to get them you will not work for one of our competitors for a certain amount of time and the relative enforceability of this depends what comes what what state you're in for example California has fairly it restricts non-competes in ways that we don't on the East Coast non-competes had p from the east coast

they don't have as much teeth in California so that's why you go for the choice of law choice of venue question in the original contract ago should I worry about this non-compete work-for-hire intervention and sign mins I've seen some ugly ones of these where an invention you come up with six months after you've left is ours unless you can show that you never thought about it and like how do you show that like I am not so I so anal retentive that I take shower notes you know what you have that you have that realization as you're you know you know as your as you're washing yourself like wait a minute that might work but how would I prove to my employer

that I didn't come up with that on their time so oftentimes when you're starting when you're when you're negotiating a negotiating a new new job there'll be a declarations page these are my inventions I walk in with them i'm walking out with them at will employment means they can fire you for any reason or no reason even though this is an employment contract with them the actual can we end it yeah either side can end it at any time if it says at will most contracts usually are so second kind of employment contract i'll go through is the termination or exit agreement you've decided to leave it may be a mutual decision it may be

unilateral maybe your employer is really tired of looking at you and as such well they will ask you to leave and usually especially in this field they'll ask you like look we would like you to sign another contract that by doing so you give up any rights you had to an employment discrimination lawsuit any questions we still owe you money any question about anything else we owe you an exchange will give you severance we will extend your health insurance will give you a thing the last job i left oddly enough one of the promises they gave was two monitors I mean they're nice like 22 inch nails like hey that's cool and that was a part of my

exit agreement but this is a final attempt to renegotiate things however they can add things into the exit agreement that weren't in your employment contract so even though you may have walked in with your invention assignment the exit agreement may rescind that because it's essentially a renegotiation to be careful oftentimes they'll have non-disparagement you can't talk [ __ ] about us we can't talk [ __ ] about you assistance this is a fairly common 1 i'm seeing this getting actually used for if you haven't fully documented your code or you have some chunk of information about a client situation or environment there will often be an assistance clause that says they can essentially rehire you as a contractor you agree to this

to get them over that hump I've seen it often threatened mark because you know you're getting the hey how does this work screw you I left three months ago but you remember there's a trick to it tell me what it is and you you know they can threaten with we just rehire you is we can force you to come back and do the thing so oftentimes you'll just divulge ical yeah it's up down up down a be a be so business contracts so you've gone from being an employee to maybe you're negotiating on behalf of your company are you running a company non-disclosure agreements usually the first of what I think of is is the

flirting part of the relationship all you're doing is saying I'm going to divulge some information we have no business relationship pass this it is merely that I want to be able to talk freely about what I'm trying to do so non-disclosure second one and this is for a in a contracting or consulting role the master service agreement this establishes all the rules by which we're going to do business right it doesn't say what we're going to do but this is things like how are you going to get paid if you choose if we do something are you going to get paid on invoice is it going to be net 30 net 90 based on a retainer how so all that all

the rules about every subsequent contract goes through the MSA so it's essentially how are we going to do business it's the first if you want to think of this is like a networking thing it's the handshake this establishes all the rules by which future business will happen but it doesn't describe what we're doing it just says if we do a thing this is the this is the master so in terms of payment assigning risks the actual performance is in another contract the statement of work those of you are consultants if you have not learned this yet this is the first thing you read when you're told oh yeah you've got a thing to do I

don't talk to the sales rep who sold it I don't talk to any of the engineers who are currently working on it I read the statement of work as I want to know what did we actually promised to do and I mean by read it I mean print it out and circle things that you're like what does this mean I used to one shop I work for the person writing the contracts and selling them would put in phrases that had no meaning weevil one of our deliverables was always a possibilities matrix what's the possibilities matrix I didn't know either so every one of my deliverables had section whatever possibilities matrix and it was like a

four by four matrix about possibilities and I realized it was like a way of saying we're going to sell you all these things you know like but this is actually if no value but we promised you a bunch of things but that's the that's the statement of work is all the things are actually promising on doing and all the things promising to do for you as in payment or anything else you might be getting from them the SLA the service the service level agreement how quickly will you respond what is your up time so this is less about kind of contracting more like if you're bringing on something as a service this is essentially your bought these

two though are essentially the if you have a conflict with the person you've contracted with this is the first thing you read and you reread it to figure out who's out of line so those are you work in healthcare this is a scary scary thing business associate agreement it is not merely a contract this is now actually by signing a business associate agreement you are certifying that you comply with HIPAA and the amount of times I cbas get signed by consulting companies who are doing work that should not be business associates under HIPAA but they sign it anyway because you want the sale all the sudden now you're promising that your own internal processes are

best practice who here thinks their own internal processes are best practice right there's not yeah like I remember this like clear desk clear screen as a requirement and I'm like well there is a there is a desk and a screen under these piles of paper and equipment because I remember doing it's like I wouldn't pass this [ __ ] you know I'm telling you coming oh yeah you should do that do you do it no all be you know all the official business locations of our company in Seattle may do this I don't know I'm not there right now my own office no so this is kind of a scare because it essentially says I'm agreeing to follow

hit high-tech security and privacy rules and you're like yeah but I'm a consulting firm I'm a freewheeling you know white hat hacker rules schmules I'm leaked all your stuff is going to be in a thumb drive on my desk at least I think it's on the desk it may have fallen off so you you're now ascribing to all those things that you expect someone else to do you're like oh yeah our it's an often will be I've seen this especially for doing work with really really large healthcare organizations like hospital chains are health insurers is that not only do you say that you're going to follow HIPAA they're going to also publish their own more rigorous security rules and you're

filling out that the vendor assessments that you often send out you're like wait a min i have to follow this I have to do these things like a peasant know so those contracts are dangerous they have to encrypt your email yep the best one was like you have to use those and I hate those it sends you the link that you come back to and then you're like why doesn't this work on my browser because reasons you're like do you have a one you recommended like s none of them so these are dangerous be careful I find even though I've done this where I try to explain to a client like hey and I information security client like

I'm not signing this because I'm not touching any of your healthcare data even four-legged things like a hip assessment like I'm not actually looking at your ph I if I cphi I'm not going to look at it because I don't want to know what you're doing I would just call it out and say I could cphi but I'm not handling ph i I'm not a subcontractor in that space I'm not that kind of girl audit clauses these can these are threats less so like the amount of time if if they're going to bother to do an audit beyond a questionnaire a follow-up phone call and maybe a site visit if they're going to look at full on audit they're thinking

of dropping you because you've there's got to be a competitor to you somewhere that isn't screwing it up so you want to be a pen tester we've got an MSA you sign with the assignment agreement which is how am I going to get paid when am I going to get paid what else do I agree to things they're dangerous indemnification I've see this stuck into a bunch of master services agreements where the client expects you to indemnify them for any damages you may cause or you fail to find and it's caused as in you to a pen Testament clean bill of health four months later they get owned they want you to step in and cover their costs

you can I mean if you've got 20 million dollars in the bank to indemnify as an indemnification fun go for it otherwise you're going to an insurance company who may now require that they view your stuff to make sure that you are a worthy risk for that so be careful about this hold harmless you won't sue me if this happens I often try to get those into master services agreements for in scope stuff statement of work you include the scope of action in the statement of work the following systems applications locations however you're defining the the the work you want it to be very very specific if it's if you're doing a scan and pen test the following IP addresses

are in scope you want to make it very clear this is what I'm hitting if that doesn't happen or it gets changed right oh yeah we put in these new systems and we toured these out because we wrote the statement of work for months ago we couldn't get an approved we've changed our infrastructure between then and now and we didn't want to change it so there might be some kind of meat kickoff meeting you'll have where you essentially renegotiate the scope get them to sign it if only to say send it from their email like we agree this is the new scope or this modifies the scope and the statement of work because and keep beating this up you want the

scope of what work you're doing to be clear often times you'll have the meeting those who also space stay things stick say things like when when may I pen past your systems and why is it always it's like midnight to 4am why is it always the rule yeah and then we'll have a status call at nine that was me for six weeks on the phone like snoring alerts if we knock something over yeah we did this test about it and doesn't pay anymore it was listening something like master underscore ad is that important oops yeah we should let you know to get at a jail letter those are you do physical pen test or social engineering

that gets a little aggressive the get out of jail letter is essentially a a shortened version of the scope of work signed by either their legal counsel client legal counsel of the client CEO or president saying the person standing in front of you is a pen tester they're allowed to do whatever stupid thing they may have just done between this date and this date no need to call the cops if you've hit them please apologize you can put the gun down yeah explains what you're doing the idea is this is that if cuz you know in every physical pentest there's always that moment like I'm gonna do something stupid and next thing you know you're like it

someone's called me on it and it's not just like oh I'm sorry I'm leaving now like no you need to be able to show the letter it says trust me sometimes you're showing that to the police this is something now that everyone's going to the cloud identify the ownership of the stuff you're testing view of it if your client has put a bunch of stuff into AWS you may not be able to pen test it cuz you know what Amazon really doesn't like you pen testing their stuff but they react badly to this

because otherwise it's an attack sometimes a redirect takes you over the line I found this during a pen test something that was in scope was actually hosted elsewhere I went to its root directory by doing that you know go up the web server to hopefully find the Apache admin page and instead I found someone else's box which i owned looked at the IP and went that's not ours that was Rackspace's I should go explain to rackspace what I just did sorry um yeah I got I got chillin this oh [ __ ] I got shell in someone else's box oops so that's the story I have for that see what you want to do is if you have

identified co-located cloud whatever is the service stuff get them you don't want to do this because I mean think of this way think of how Amazon or Rackspace is going to be able to I'm a pen tester I'm going to be pen test in this box they're not in the customer first go away get them to get all that stuff in place our come up with another solution but that's why scope is so important because breaking a system that is in scope is just a bad day for them if you've written this correctly you're indemnified if I break into a system that is out of scope I have now committed a felony a felony does not look good on your

permanent record prevents criminal and civil liability if your scope is good so say for example now going back to contracts what happens when there's a conflict they believe you haven't performed they don't like what you're saying and it goes from argument to all the sudden people aren't accepting meeting invites that's that's when my blood runs cold like uh-oh I can no ones on the status call no response with thank you for my you know status spreadsheet about what I've done so you know there's a problem what can you do you might be able to renegotiate you talk to the principles involved and say this project has somehow gone off the rails how do we keep this going do we

extend scope do we extend time do we change the amount of money involved do we do something how do we keep the business relationship fine might I have to offer something new on both sides essentially it's a whole new contract you want to identify the breach and the breach is the breaching contract what did what what did you promise to do that you didn't do what did they promise to do that they didn't do because you're fighting about that you want to figure out how that is how you can fix that how you can cure that problem this is now getting uglier you vas it like they have breached their side so you can say I believe that you won't

continue performing we're out anticipatory breach you will not do what you're supposed to do at a material fact you're not going to pay us you're not going to get the project done on time you haven't done coke or things to it we're out like the extreme one of these is all of a sudden your badges no longer work at the job site because they have basically told you we've all you all get help threaten lawsuit this is now things have spiraled into stupid after their spiraling into stupid because you've gone from we were making them happy we're making them relatively happy at this point no one on the technical teams and other side is talking this is maybe the prince

if you're the principal of your shop you're talking and you're now not talking to the technical people you're likely talking to people in the business management or maybe legal you're now fighting over whether or not you're going to continue at all like this might be the end of the business relationship and then you've gone from threatening a lawsuit you've written a couple letters or your turnings have written some letters you actually file Los someone files a suit about this all of a sudden now it's you're no longer really worrying about getting paid you're worrying about escaping so any questions on contracts

okay its third parties if if i say i'm holding hold harmless means we're not going to sue each other under this indemnification means that if someone else Sue's me you're stepping in right you you promised to do a thing for me like you're going to test my system and you certify that it's good if it's a mere hold harmless it means that if you break it or I cause you damage no now now you're standing in and saying yeah customers sues you you're defending me yeah

right especially if it's not yet done if you're like working on a project that is not yet made it to github or isn't really there yet you would probably want to name it in your inventions disclosure because it's like I'm working on yeah and come up that's why I often tell my mic lines like come up with a name just name the thing so that way instead of a some really is like a patent declaration like a thing that does awesomeness wow that's useless know it's a library that does this thing and now it's a thing and you can basically claimed it as I'm walking into this place with this now in a lot of cases thinking about inventions

if they are close to related to what you're doing your day job you want to be careful lest you use you recycle code one way or the other now it becomes where the company can rightfully say whoa wait a minute which in this code you write for us which of this code is now in this open source project this smells like what we paid you to do that's a concern right

yes so the difficulty now is how do you protect how do you protect the project if these guys can come in and say all the code that this person you're like but then you're like taking out like individual lines like you're going back to two commits and going show me show me on this what's yours i I'm less concerned about that for open source because most of the time I don't unless that open source package becomes incredibly valuable like in the linux kernel or something like that it odds are it's going to be like yeah it's a wash we don't think there's anything of enough value to fight you on it

yeah it's one of those like i identified this as a risk the same i identified that there is you know meteor or clown risk involved cool I think we're done thank you so much [Applause]