Home page logo

pen-test logo Penetration Testing mailing list archives

RE: what to do it illegal activity found during pen-test
From: "Ebeling, Jr., Herman Frederick" <hfebelingjr () lycos com>
Date: Tue, 11 Jul 2006 14:35:31 -0400

Hash: SHA1

- ----Original Message----
From: Paul Robertson [mailto:compuwar () gmail com]
Sent: Wednesday, 14 June, 2006 15:04
To: Campbell Murray
Cc: pen-test () securityfocus com; tony () encription co uk
Subject: Re: what to do it illegal activity found during pen-test

: On 6/9/06, Campbell Murray <campbell () encription co uk> wrote:
: : Hi,
: : 
: : I have been following this list closely and have taken some legal
: : advice from colleagues within the UK Police forces and UK
: : solicitors on this matter.  The position seems to be quite clear.
: This depends heavily upon the jurisdiction, laws being broken and
: level of surity that a law is being broken...

        First off, please forgive my "tardiness" in responding this post. 
But I think that that is what the "Good Samaritan" laws are for.  To
protect those who honestly believe that they are acting in the best
interest of those involved.

: : 
: : A) If you discover illegal activity you have an obligation to
: : report this to the proper authorities immediately regardless of
: : contractual obligation.  In short your legal obligations
: : supersede any contractual obligations you may have with a client
: : or employer. 
: This is heavily jurisdictional, and again, may depend on civil vs.
: criminal law- and level of surity.  For instance, do you assume
: all musical content found on an mp3 server is illegal, and do you
: report it?  It's not as cut and dried as it would appear,
: if you're not an investigating authority or acting on behalf of
: Worse-yet, the wrong move may prejudice a case when there's a real
: bad actor and a real victim if you're found to be acting as an
: agent of law enforcement and don't follow the correct procedures.

        Granted, sadly there will almost always be "grey areas," but again
that is what the "Good Samaritan" laws are for.

: : 
: : B) If you choose to report this to your client and let them deal
: : with it you are again obliged to make sure that they DO report
: : 
: : C) If an offence is not reported and it is later discovered you
: : will find yourself liable for a charge of 'aiding and abetting'
: : the original offence. 
: : 
: Again, this is situational.  In any case, your motivation should be
: to do the right thing because it's the right thing, not because you
: might have downstream issues.

        This is true, but one shouldn't let the lack of appropriate phrases
in a contract prevent them from doing the right thing.

: If you're wrong about the legality of something, and you do report
: it, it's possible that you could open yourself up to civil
: unless you've adequately covered yourself in the contract.  My
: contracts generally allow me to err on the side of caution, for
: instance on machine-level forensics work, I generally use phrasing
: to cover things which in my opinion may be illegal, and giving me
: the ability to report it to any relevant agency I deem appropriate.

        Again that is what the "Good Samaritan" laws are for, one such
example is a person who performs CPR on say a drowning victim.  It
has been shown, and proven time-and-time again that even when done
properly that CPR can result in cracked or broken bones.  The "Good
Samaritan" laws protect person from being sued by the victim for said
cracked or broken bones.

: I've had some long and involved discussions over what does and
: doesn't constitute child pornography according to US statutes, as
: well as what my legal reporting obligations are with my local U.S.
: Attny's office and local FBI field office.
: While I'm reasonably well informed, it's not my job to determine if
: a particular image of a particular subject *is* child pornography,
: or if it *might be* child pornography- I can't always reasonably
: know the age of a potential victim from an image, and once the
: images get questionable, my contracts allow me to call the
: appropriate authorities and make a report.  After that, they'll
: determine if something is prosecutable (which is a higher standard
: than illegal) and determine what I need to do next.  If I'm wrong,
: and it's not really child pornography (virtual, aged enhanced,
: doesn't meet the standard, over age model,) my contracts cover me
: just as much as if it meets the standard but isn't prosecutable or
: if it's going to be prosecuted.

        Unless they've been changed (and I'll admit that they could have)
that the child pornography laws have been written to include pictures
of adults who have been "dressed down" or "made down" to look as if
they are children.

: : The over riding theme that I have discovered is that regardless
: : of any contracts you have with your employers or clients in this
: : situation YOU have a responsibility to report the incident.  If
: : you do not you are committing an offence yourself.
: You miss my point, which I admit wasn't as clear as it should have
: been - I'm of the opinion that you have an obligation to cover this
: in your contracts so that when the client hires you, they're aware
: of the position, ethics and process you'll take.  That doesn't
: supercede your own legal obligations, but may protect you in
: borderline cases.

        Again just because the appropriate clauses are missing from one's
contract should not stop one from doing the right thing.

: Paul

- -----
Live Long and Prosper
 ___________________          _-_
 \==============_=_/ ____.---'---`---.____
             \_ \    \----._________.----/
               \ \   /  /    `-_-'
          /____          ||-

Version: PGP 8.0.3
Comment: Space the Final Frontier


This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]