Penetration Testing mailing list archives
Re: what to do it illegal activity found during pen-test
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 13 Jul 2006 13:05:42 +1000
Hello, To jump in on this, the comment; "If you commit a tort by misreporting you are subject to civil action and your liability is your liability (to whatever extent that is)." is not technically correct. A tortuous claim will be available only if the act was conducted with malicious intent. This is difficult to prove and the onus of proof lies with the prosecuting party. Even then there are several defenses to the claim. Next, reporting the issue is not the same as prosecuting the issue. In fact in the US, UK NZ and Australia there are laws that cover this. Child porn is an indictable offence in all of the above jurisdictions. It is a criminal offence not to report the scientia of the event in all localities listed. False arrest would only be possible if the action is not proven AND you made the arrest without cause. As unless you are in the police force this is unlikely and even a private prosecution is unlikely - there is no issue here. As for a claim of tortuous liable, this requires that you publicly release the claim. Reporting is not a publication. Thus the action would fail and be struck out. The only real issue is if the photo was "planted" by the investigator or there was gross negligence in the completion of the investigators duty. Neither are directly associated with the reporting. Regards, Craig PS as an example; NSW Crimes Act; NSW Crimes Act 1900; Division 2 - Interference with the administration of justice, S 316 316 Concealing serious indictable offence (1) If a person has committed a serious indictable offence and another person who knows or believes that the offence has been committed and that he or she has information which might be of material assistance in securing the apprehension of the offender or the prosecution or conviction of the offender for it fails without reasonable excuse to bring that information to the attention of a member of the Police Force or other appropriate authority, that other person is liable to imprisonment for 2 years. (2) A person who solicits, accepts or agrees to accept any benefit for himself or herself or any other person in consideration for doing anything that would be an offence under subsection (1) is liable to imprisonment for 5 years. (3) It is not an offence against subsection (2) merely to solicit, accept or agree to accept the making good of loss or injury caused by an offence or the making of reasonable compensation for that loss or injury. (4) A prosecution for an offence against subsection (1) is not to be commenced against a person without the approval of the Attorney General if the knowledge or belief that an offence has been committed was formed or the information referred to in the subsection was obtained by the person in the course of practising or following a profession, calling or vocation prescribed by the regulations for the purposes of this subsection. (5) The regulations may prescribe a profession, calling or vocation as referred to in subsection (4). The offence, contained in section 316(1) of the NSW Crimes Act, occurs where a person knows or believes that a serious crime has been committed, and fails, without a reasonable excuse, to inform the police. -----Original Message----- From: Dotzero [mailto:dotzero () gmail com] Sent: Wednesday, 12 July 2006 8:16 PM To: pen-test () securityfocus com Subject: Spam: Re: what to do it illegal activity found during pen-test Just to comment on people equating "good samaritan laws" to reporting porn. Bad analogy...very bad analogy. Consider (at least in many/most U.S. states) what the good samaritan law does. It does NOT protect the average person if they attempt to provide assistance. It only protects individuals with training that act within the scope of their training and professional expertise. So a doctor or nurse is clearly protected when providing assistance except in cases of gross negligence or malfeasance, etc. In the case of an individual with limited training, it only protects the individual rendering assistance within very defined circumstances. So (and I do have first aid and aed/cpr certifications) there are a few conditions: 1) if the person is conscious they have the right to refuse assistance. If you attempt to provide assistance after they refuse it you are not protected. The exception to this is if they are not conscious, in which case most states have implied consent. 2) If the individual does not follow the procedures in the training or goes beyond the scope of the training they are generally not protected by good samaritan laws. In the case of an individual with no training/certification, they are generally not protected under good samaritan laws if they attempt to render assistance. The purpose of good samaritan laws is to give an incentive to trained individuals to render assistance in the case of an accident or emergency. That is a very limited and defined scope. Moving on to reporting alleged kiddie porn in the course of a professional engagement. You have no protection whatsoever under the concept of good samaritan laws. If you commit a tort by misreporting you are subject to civil action and your liability is your liability (to whatever extent that is). How many people on this list are willing to claim expertise in kiddie porn that should/would match the analogy of good samaritan law structure? It's interesting that most people are focusing only on kiddie porn when there are so many other types of activities one is likely to come across during a pen-test or audit. ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------ ------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jul 11)
- Re: what to do it illegal activity found during pen-test Eliah Kagan (Jul 11)
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jul 12)
- Re: what to do it illegal activity found during pen-test Eliah Kagan (Jul 12)
- Re: what to do it illegal activity found during pen-test Juergen Fiedler (Jul 12)
- Re: what to do it illegal activity found during pen-test Dotzero (Jul 12)
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jul 13)
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jul 12)
- Re: what to do it illegal activity found during pen-test Jim Halfpenny (Jul 13)
- Re: what to do it illegal activity found during pen-test Eliah Kagan (Jul 11)
- <Possible follow-ups>
- Re: what to do it illegal activity found during pen-test Craig Wright (Jul 13)
- Re: what to do it illegal activity found during pen-test Craig Wright (Jul 13)
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jul 13)