Re: Consulting Question

[Stephen Thornber <skthornber () mac com>]

Is it a crime if it is done with out 'Mens Rea' ?

I mean in a UK legal context: "guilty state of mind".

Because if you have 'found something to be amiss'  with a site as  
part of normal browsing then there can be no Mens Rea and if you  
found something without knowing it to be a crime again there is no  
Mens Rea.

Alternatively of course not knowing the law and what you can and  
can't do in this day and age is  more often considered as being no  
excuse..... I do not agree but then I disagree about a lot of  things.

Intention - did you intend to do it? Did you intend to do it well  
knowing it to be wrong? did you intend to do it for good, if  
misguided, reasons

etc etc.

Stephen Thornber
MRSH, MBCS, CISM, CISSP


On 9 May 2007, at 23:54, Craig Wright wrote:

> Chris,
> My take would be:
> 1       Does the company have a statement on their site that
> categorically allows you to find other means of access and check the
> code?
> 2       Do they categorically and clearly state that they allow all
> forms of deep browsing?
> 3       Do they ask for you to check and find possible vulnerabilities?
> 4       Do you have a (good) prior contract with the firm to engage in
> these actions.
>
> If the answer is not "yes" to all three you have committed a trespass.
> There are limits on an implied access to a website. Any implied (i.e.
> not express access as mention above) access is limited by the aims of
> the firm and convention. Although public, websites are not designed to
> be targets (though they may end up as one).
>
> The result is that you have in fact breached the website owners  
> property
> rights. The result is that in most (US, AU, NZ, EU) jurisdictions, you
> have committed a crime if you do this action.
>
> If you approach the firm - you have provided them evidence. If you  
> post
> it to a list in this case there is evidence.
>
> Being public knowledge is not a shield. Estoppel provisions will not
> help you other than in for maybe downstream civil consequences. Google
> hacking is still a violation. The information is in Google, but you  
> have
> to take an informed action to uncover it. This makes up intent.
>
> Regards,
> Craig
>
>
>
> Craig Wright
> Manager of Information Systems
>
> Direct +61 2 9286 5497
> Craig.Wright () bdo com au
> +61 417 683 914
>
> BDO Kendalls (NSW)
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> www.bdo.com.au
>
> Liability limited by a scheme approved under Professional Standards  
> Legislation in respect of matters arising within those States and  
> Territories of Australia where such legislation exists.
>
> The information in this email and any attachments is confidential.   
> If you are not the named addressee you must not read, print, copy,  
> distribute, or use in any way this transmission or any information  
> it contains.  If you have received this message in error, please  
> notify the sender by return email, destroy all copies and delete it  
> from your system.
>
> Any views expressed in this message are those of the individual  
> sender and not necessarily endorsed by BDO Kendalls.  You may not  
> rely on this message as advice unless subsequently confirmed by fax  
> or letter signed by a Partner or Director of BDO Kendalls.  It is  
> your responsibility to scan this communication and any files  
> attached for computer viruses and other defects.  BDO Kendalls does  
> not accept liability for any loss or damage however caused which  
> may result from this communication or any files attached.  A full  
> version of the BDO Kendalls disclaimer, and our Privacy statement,  
> can be found on the BDO Kendalls website at http://www.bdo.com.au  
> or by emailing administrator () bdo com au.
>
> BDO Kendalls is a national association of separate partnerships and  
> entities.
>
> -----Original Message-----
>
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com]
> On Behalf Of Simmons, James
> Sent: Thursday, 10 May 2007 4:55 AM
> To: sammons () cs utk edu; security-basics () securityfocus com
> Subject: RE: Consulting Question
>
> I wont mention about how what you said was wrong since others have
> already commented. But for your disclosure I would suggest 3com's Zero
> Day Initiative, if in fact what you found was a zero day.
> http://www.zerodayinitiative.com/
> If you found an existing exploit with their site, then I would be very
> careful in how you approach this. It really depends on how you  
> found it
> (i.e.. some google hacking). Or were you illegally scanning this
> companies systems? If it was a google hack, then an argument can be  
> made
> that it is public knowledge and thus you COULD be shielded from legal
> action. (Of course this is theoretical, as the company can sue you  
> just
> because ... See MPAA and RIAA lawsuits for references.)
> Personally, I really wouldn't mention it to the company (unless you  
> are
> proof positive of your legal standing), and just solicit them for your
> services like a professional.
>
>
> Regards,
>
> Simmons
>
> -----Original Message-----
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com]
> On Behalf Of sammons () cs utk edu
> Sent: Tuesday, May 08, 2007 2:32 PM
> To: security-basics () securityfocus com
> Subject: Consulting Question
>
> Hello All,
>
>   I would like to get my feet wet doing some general security
> consultation work (network audits, penetration testing, etc.). My
> questions concerns a proper approach to potential clients. Consider  
> this
> situation, I have found a few vulnerabilities in the company's web
> application product that could lead to potential identity theft and
> system compromise. This being a relatively large company, how would  
> one
> go about informing the company about this vulnerability without them
> leaving you 100% out of the equation?
>
>   In the case that the company is not interested in further third- 
> party
> assistance I have a second question (concerning credit for finding  
> such
> vulnerability). What is the proper/ethical protocol for publishing a
> software vulnerability? Are there any other methods that would insure
> credit while protecting the company from mass exploitation? I thank  
> you
> in advanced for your input.
>
> Best Regards,
>
> Chris