Penetration Testing mailing list archives
Re: what to do it illegal activity found during pen-test
From: "Paul Robertson" <compuwar () gmail com>
Date: Wed, 14 Jun 2006 15:04:08 -0400
On 6/9/06, Campbell Murray <campbell () encription co uk> wrote:
Hi, I have been following this list closely and have taken some legal advice from colleagues within the UK Police forces and UK solicitors on this matter. The position seems to be quite clear.
This depends heavily upon the jurisdiction, laws being broken and level of surity that a law is being broken...
A) If you discover illegal activity you have an obligation to report this to the proper authorities immediately regardless of contractual obligation. In short your legal obligations supersede any contractual obligations you may have with a client or employer.
This is heavily jurisdictional, and again, may depend on civil vs. criminal law- and level of surity. For instance, do you assume that all musical content found on an mp3 server is illegal, and do you report it? It's not as cut and dried as it would appear, especially if you're not an investigating authority or acting on behalf of one. Worse-yet, the wrong move may prejudice a case when there's a real bad actor and a real victim if you're found to be acting as an agent of law enforcement and don't follow the correct procedures.
B) If you choose to report this to your client and let them deal with it you are again obliged to make sure that they DO report it. C) If an offence is not reported and it is later discovered you will find yourself liable for a charge of 'aiding and abetting' the original offence.
Again, this is situational. In any case, your motivation should be to do the right thing because it's the right thing, not because you might have downstream issues. If you're wrong about the legality of something, and you do report it, it's possible that you could open yourself up to civil liability unless you've adaquately covered yourself in the contract. My contracts generally allow me to err on the side of caution, for instance on machine-level forensics work, I generally use phrasing to cover things which in my opinion may be illegal, and giving me the ability to report it to any relevant agency I deem appropriate. I've had some long and involved discussions over what does and doesn't constitute child pornography according to US statutes, as well as what my legal reporting obligations are with my local U.S. Attny's office and local FBI field office. While I'm reasonably well informed, it's not my job to determine if a particular image of a particular subject *is* child pornography, or if it *might be* child pornography- I can't always reasonably know the age of a potential victim from an image, and once the images get questionable, my contracts allow me to call the appropriate authorities and make a report. After that, they'll determine if something is prosecutable (which is a higher standard than illegal) and determine what I need to do next. If I'm wrong, and it's not really child pornography (virtual, aged enhanced, doesn't meet the standard, over age model,) my contracts cover me just as much as if it meets the standard but isn't prosecutable or if it's going to be prosecuted.
The over riding theme that I have discovered is that regardless of any contracts you have with your employers or clients in this situation YOU have a responsibility to report the incident. If you do not you are committing an offence yourself.
You miss my point, which I admit wasn't as clear as it should have been - I'm of the opinion that you have an obligation to cover this in your contracts so that when the client hires you, they're aware of the position, ethics and process you'll take. That doesn't supercede your own legal obligations, but may protect you in borderline cases. Paul -- fora.compuwar.net ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- what to do it illegal activity found during pen-test Robin Wood (Jun 02)
- Re: what to do it illegal activity found during pen-test Dotzero (Jun 02)
- RE: what to do it illegal activity found during pen-test Andy Meyers (Jun 02)
- RE: what to do it illegal activity found during pen-test Ali-Reza Anghaie (Jun 03)
- Re: what to do it illegal activity found during pen-test Robin Wood (Jun 04)
- RE: what to do it illegal activity found during pen-test Ebeling, Jr., Herman Frederick (Jun 07)
- RE: what to do it illegal activity found during pen-test Andy Meyers (Jun 02)
- Re: what to do it illegal activity found during pen-test Paul Robertson (Jun 08)
- RE: what to do it illegal activity found during pen-test Campbell Murray (Jun 09)
- Re: what to do it illegal activity found during pen-test Robin Wood (Jun 10)
- Re: what to do it illegal activity found during pen-test Paul Robertson (Jun 14)
- RE: what to do it illegal activity found during pen-test Campbell Murray (Jun 09)
- <Possible follow-ups>
- RE: what to do it illegal activity found during pen-test Michael Scheidell (Jun 02)
- Re: what to do it illegal activity found during pen-test Dotzero (Jun 02)