Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: The legal / illegal line?
From: "Craig Wright" <cwright () bdosyd com au>
Date: Wed, 7 Mar 2007 19:04:11 +1100


Hi,

On occasion and if done in the right way, than yes the whistle blower laws may help. Much of the trouble with good 
intentions is that people jump in without thinking first.



Shawn Carpenter seems to have faired ok. He has won his case (even if there is a later appeal) for the moment. If this 
comes through he is in a rather good position and the judgement if it sticks will make others think twice at least.  
They do not have long to file the appeal, so it will not be long to see what happens here.



In this case, the organisation was clearly stupid. Alerting the media is one thing, telling the fed's another. Being 
sacked for doing his duty, well Sandia deserve to get all they deserve.



Regards,

Craig


________________________________

From: Ivan . [mailto:ivanhec () gmail com]
Sent: Wed 7/03/2007 5:54 PM
To: Craig Wright
Cc: McCarty, Eric C.; Dotzero; pen-test () securityfocus com
Subject: Re: The legal / illegal line?


I guess not everyone gets shafted for doing the right thing, as demonstrated by this poor chap
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011832

One would imagine that whistleblower legislation would also offer some protection in certain circumstances?

cheers
Ivan


On 3/7/07, Craig Wright <cwright () bdosyd com au> wrote:


        Hi Ivan,

        The Good Samaritan laws vary by jurisdiction. There are a number of separate ones and some even apply here in 
Australia in limited instances.



        These rules are designed to restrict actions against wrongful death. This is tortious actions by a third party 
such as family of the deceased.



        In many civil law countries (eg. France) these go further and make the person responsible for aiding the other 
party and may have the person criminally liable for a failure to act.



        In case 2 of my original reply, the person giving aide had also impeded another from aiding the injured party. 
In this case, the wrongful death tort would be actionable. Worse still, where the Good Samaritan laws apply, the person 
is not allowed to stop rendering aid without extenuating circumstances or unless another party with equal or greater 
skill steps in to help.



        The party responding is not liable for tortious action for the death, disfigurement or disability of the victim 
as long as they acted as a "rational person". By stopping the additional assistance, the person would not be held to 
have acted reasonably and thus would be liable.



        Clear as mud.



        You are correct, I have some legal training. I am completing an honours masters (LLM - International commercial 
law) at the moment - expect to complete the dissertation in Jan/Feb next year. Following this I am starting a PhD in 
Economics/Law (on the economic impact of ecommerce and e-crime legislation and its effects). I also have a few papers 
published in a couple legal journals.



        And for those who like to call me a lawyer (not that this bothers me, but I do not get paid for it), yes I am 
working on a post grad law degree, but I also have several masters degrees in IT related fields. So :P

        http://www.infoage.idg.com.au/index.php/id;1151410747;fp;512;fpid;1874290912 < 
http://www.infoage.idg.com.au/index.php/id;1151410747;fp;512;fpid;1874290912 
<http://www.infoage.idg.com.au/index.php/id;1151410747;fp;512;fpid;1874290912> >



        Regards,

        Craig



        PS - academic junkie and proud of it ;)


        ________________________________

        From: Ivan . [mailto:ivanhec () gmail com]
        Sent: Wed 7/03/2007 2:24 PM
        To: Craig Wright
        Cc: McCarty, Eric C.; Dotzero; pen-test () securityfocus com
        Subject: Re: The legal / illegal line?


        Hi Craig,

        It's obvious that you have legal training, but how does the good Samaritan laws affect your ascertin in case 2? 
If you attempt in vain to save the person, you are not responsible for the loss of life? at least in the US and Canada?

        I don't think there is anything similiar here in Australia.

        http://en.wikipedia.org/wiki/Good_Samaritan_law

        cheers
        Ivan


        On 3/6/07, Craig Wright <cwright () bdosyd com au> wrote:


                > So in your opinion, companies have a legal right to put my credit card
                information, social security information, medical information, etc. at
                risk?

                No, and this is not what I stated.  There are privacy and credit
                protection laws to cover this.

                I do agree that the laws are f_cked as you put it, but we live in a
                democracy (or at least most ppl on this list do) and the tyranny of the
                majority wins. Most people are afraid of change and thus the changes
                that occur are those lobbied for by those with a vested interest.

                However, where do you draw the line? I admit the law is far too sided
                with stopping others from helping (or taking the law into their own
                hands), but where do you draw the line.

                As an example (excluding cases where there is an obligation in this case
                such as a parent child relationship); A person is (except in a FEW
                jurisdictions where there are explicit help laws - which would mean
                making a phone call) drowning in a puddle. You see them and stop. You do
                nothing to stop others seeing you or the other person and do not
                interfere. It is clear that the other person is drowning in the puddle.
                They seem unconscious. To save them all you have to do is roll them over
                - at no cost to yourself. You decide to wait and watch them die. You
                have done nothing legally wrong.

                Case 2. You see a person in trouble. Another person is going to run for
                help but you state that you can handle it and tell them not to go to the
                phone. They comply. You fail in your attempt to save the person, but it
                is likely that a trained person (if they arrived) could have saved them.
                You are legally responsible for the person's death.

                "Just seems backasswards to me." Yes, and to many people I would
                believe. But most people do not take an interest, and thus laws are
                biased away for societies interests.

                This is a topic best off this list however. The point is not if the law
                is right or wrong, but that it is there.

                Regards,
                Craig

                -----Original Message-----
                From: McCarty, Eric C. [mailto: emccarty () er ucsd edu <mailto:emccarty () er ucsd edu > ]
                Sent: Tuesday, 6 March 2007 9:01 AM
                To: Craig Wright; Dotzero; pen-test () securityfocus com
                Subject: RE: The legal / illegal line?

                I agreed up until...

                "People and firms have a legal right to ignorance. As much as we may
                want to change this, they have the right to live in their own stupidity
                and bare their own risk. You do not have the right to make them agree
                with you - even if you are right."

                ORLY?

                So in your opinion, companies have a legal right to put my credit card
                information, social security information, medical information, etc. at
                risk?

                You may perhaps be very right, but I'm certain we can now see very
                clearly how f__cked the laws we live under regarding Information
                technology are.

                I think laws should be amended to protect the do-gooders who find and
                report vulnerabilities, since as you mentioned, many companies live in
                ignorance and care less, why should the consumer be left at the mercy of
                the "bad people" (black hats if you will) instead of protected by the
                "good people" (white hats if you will) ?

                Just seems backasswards to me.

                Eric

                -----Original Message-----
                From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
                On Behalf Of Craig Wright
                Sent: Monday, March 05, 2007 1:24 PM
                To: Dotzero; pen-test () securityfocus com
                Subject: RE: The legal / illegal line?


                Dotzero is correct, you can point out concerns to the party you have
                contracted to and have them ask the third party to do something, or stay
                away.

                Worse still, in many common law juristictions (inc the US, UK, Au etc)
                you may be breaking the law further by not freely giving any information
                on the scan to the third party (tp). First there is no contract with the
                TP to cover you for any damages (and scans can cause hosts to crash =
                damage).


                Next, you have no implied or explict license to engage in the action,
                thus a breach of the TP's rights.

                Thus if you call them after the even stating something along the lines
                of "I have scanned your system and discovered vulnerability X, I will
                send you the report for $1,000" for instance, you could be held to have
                committed extortion. Where the TP exchanges money for the report, not
                only have you handed them proof of the action, but this is now
                blackmail.

                Next, consideration can not pass after the event in a contract. Thus if
                the party pays you, even where there is no criminal liability, they can
                bring suit to regain the payment from you in that there was no valid
                contract and the payment may be revoked.

                People and firms have a legal right to ignorance. As much as we may want
                to change this, they have the right to live in their own stupidity and
                bare their own risk. You do not have the right to make them agree with
                you - even if you are right.

                Regards,
                Craig

                -----Original Message-----
                From: listbounce () securityfocus com [mailto: listbounce () securityfocus com]
                On Behalf Of Dotzero
                Sent: Tuesday, 6 March 2007 6:52 AM
                To: pen-test () securityfocus com
                Subject: Re: The legal / illegal line?

                The original question from Barry was about legal vs illegal. There is
                only one (IMHO) answer to that question. It depends on jurisdiction.
                The laws that apply in one jurisdiction may not apply in another.

                I'm also concerned about Barry asking about when others "approach a
                client" to tell them about their insecurities following a "simple
                pen-test".. They are NOT your client unless they have engaged you.
                They are a potential client. They have no relationship with you and
                you have not been authorized by them to do anything on their behalf.
                Even if you haven't done anything illegal, most companies I'm familiar
                with would be unlikely to hire you or your company under such
                circumstances. The actions you describe are indicative of a failure to
                recognize appropriate boundaries.

                A more reasonable approach (and one more likely to attract business)
                would be to have your sales people pitch a free security assessment.
                Have a standard agreement authorizing a standard but limited set of
                activities that you can then use to show a potential client how they
                might benefit from your services.

                As usual, just my 2 cents.

                dotzero

                ------------------------------------------------------------------------
                This List Sponsored by: Cenzic

                Need to secure your web apps?
                Cenzic Hailstorm finds vulnerabilities fast.
                Click the link to buy it, try it or download Hailstorm for FREE.

                http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
                00000008bOW
                ------------------------------------------------------------------------


                Liability limited by a scheme approved under Professional Standards
                Legislation in respect of matters arising within those States and
                Territories of Australia where such legislation exists.

                DISCLAIMER
                The information contained in this email and any attachments is
                confidential. If you are not the intended recipient, you must not use or
                disclose the information. If you have received this email in error,
                please inform us promptly by reply email or by telephoning +61 2 9286
                5555. Please delete the email and destroy any printed copy.


                Any views expressed in this message are those of the individual sender.
                You may not rely on this message as advice unless it has been
                electronically signed by a Partner of BDO or it is subsequently
                confirmed by letter or fax signed by a Partner of BDO.

                BDO accepts no liability for any damage caused by this email or its
                attachments due to viruses, interference, interception, corruption or
                unauthorised access.

                ------------------------------------------------------------------------
                This List Sponsored by: Cenzic

                Need to secure your web apps?
                Cenzic Hailstorm finds vulnerabilities fast.
                Click the link to buy it, try it or download Hailstorm for FREE.

                http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
                00000008bOW
                ------------------------------------------------------------------------


                Liability limited by a scheme approved under Professional Standards Legislation in respect of matters 
arising within those States and Territories of Australia where such legislation exists.

                DISCLAIMER
                The information contained in this email and any attachments is confidential. If you are not the 
intended recipient, you must not use or disclose the information. If you have received this email in error, please 
inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed 
copy.

                Any views expressed in this message are those of the individual sender. You may not rely on this 
message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by 
letter or fax signed by a Partner of BDO.

                BDO accepts no liability for any damage caused by this email or its attachments due to viruses, 
interference, interception, corruption or unauthorised access.

                ------------------------------------------------------------------------
                This List Sponsored by: Cenzic

                Need to secure your web apps?
                Cenzic Hailstorm finds vulnerabilities fast.
                Click the link to buy it, try it or download Hailstorm for FREE.

                http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
                ------------------------------------------------------------------------





        Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising 
within those States and Territories of Australia where such legislation exists.

        DISCLAIMER
        The information contained in this email and any attachments is confidential. If you are not the intended 
recipient, you must not use or disclose the information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

        Any views expressed in this message are those of the individual sender. You may not rely on this message as 
advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax 
signed by a Partner of BDO.

        BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.




Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]