Re: what to do it illegal activity found during pen-test

From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Jul 12 2006 - 23:05:42 EDT


Hello,
To jump in on this, the comment; "If you commit a tort by misreporting
you are subject to civil action and your liability is your liability (to
whatever extent that is)." is not technically correct.

A tortuous claim will be available only if the act was conducted with
malicious intent. This is difficult to prove and the onus of proof lies
with the prosecuting party. Even then there are several defenses to the
claim.

Next, reporting the issue is not the same as prosecuting the issue. In
fact in the US, UK NZ and Australia there are laws that cover this.
Child porn is an indictable offence in all of the above jurisdictions.
It is a criminal offence not to report the scientia of the event in all
localities listed.

False arrest would only be possible if the action is not proven AND you
made the arrest without cause. As unless you are in the police force
this is unlikely and even a private prosecution is unlikely - there is
no issue here.

As for a claim of tortuous liable, this requires that you publicly
release the claim. Reporting is not a publication. Thus the action would
fail and be struck out.

The only real issue is if the photo was "planted" by the investigator or
there was gross negligence in the completion of the investigators duty.
Neither are directly associated with the reporting.

Regards,
Craig

PS as an example; NSW Crimes Act; NSW Crimes Act 1900; Division 2 -
Interference with the administration of justice, S 316

316 Concealing serious indictable offence

(1) If a person has committed a serious indictable offence and another
person who knows or believes that the offence has been committed and
that he or she has information which might be of material assistance in
securing the apprehension of the offender or the prosecution or
conviction of the offender for it fails without reasonable excuse to
bring that information to the attention of a member of the Police Force
or other appropriate authority, that other person is liable to
imprisonment for 2 years.
(2) A person who solicits, accepts or agrees to accept any benefit for
himself or herself or any other person in consideration for doing
anything that would be an offence under subsection (1) is liable to
imprisonment for 5 years.
(3) It is not an offence against subsection (2) merely to solicit,
accept or agree to accept the making good of loss or injury caused by an
offence or the making of reasonable compensation for that loss or
injury.
(4) A prosecution for an offence against subsection (1) is not to be
commenced against a person without the approval of the Attorney General
if the knowledge or belief that an offence has been committed was formed
or the information referred to in the subsection was obtained by the
person in the course of practising or following a profession, calling or
vocation prescribed by the regulations for the purposes of this
subsection.
(5) The regulations may prescribe a profession, calling or vocation as
referred to in subsection (4).

The offence, contained in section 316(1) of the NSW Crimes Act, occurs
where a person knows or believes that a serious crime has been
committed, and fails, without a reasonable excuse, to inform the police.

-----Original Message-----
From: Dotzero [mailto:dotzero@gmail.com]
Sent: Wednesday, 12 July 2006 8:16 PM
To: pen-test@securityfocus.com
Subject: Spam: Re: what to do it illegal activity found during pen-test

Just to comment on people equating "good samaritan laws" to reporting
porn. Bad analogy...very bad analogy.

Consider (at least in many/most U.S. states) what the good samaritan
law does. It does NOT protect the average person if they attempt to
provide assistance. It only protects individuals with training that
act within the scope of their training and professional expertise. So
a doctor or nurse is clearly protected when providing assistance
except in cases of gross negligence or malfeasance, etc.

In the case of an individual with limited training, it only protects
the individual rendering assistance within very defined circumstances.
So (and I do have first aid and aed/cpr certifications) there are a
few conditions:

1) if the person is conscious they have the right to refuse
assistance. If you attempt to provide assistance after they refuse it
you are not protected. The exception to this is if they are not
conscious, in which case most states have implied consent.

2) If the individual does not follow the procedures in the training or
goes beyond the scope of the training they are generally not protected
by good samaritan laws.

In the case of an individual with no training/certification, they are
generally not protected under good samaritan laws if they attempt to
render assistance.

The purpose of good samaritan laws is to give an incentive to trained
individuals to render assistance in the case of an accident or
emergency. That is a very limited and defined scope.

Moving on to reporting alleged kiddie porn in the course of a
professional engagement. You have no protection whatsoever under the
concept of good samaritan laws. If you commit a tort by misreporting
you are subject to civil action and your liability is your liability
(to whatever extent that is).

How many people on this list are willing to claim expertise in kiddie
porn that should/would match the analogy of good samaritan law
structure?

It's interesting that most people are focusing only on kiddie porn
when there are so many other types of activities one is likely to come
across during a pen-test or audit.

------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:15 EDT