From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Jul 12 2006 - 23:27:20 EDT
Next comment;
Good Samaritan laws are not applicable.
A 'good Samaritan law' acts to protect a person who has acted in good faith from prosecution. It does not apply to situations that that do not help others directly. They are basically a "shield" that may be used to protect against a wrongful death claim. They in effect act as a form of estoppel and are a "shield not a sword" as with an equitable estoppel.
Under common law there is no civil penalty for not giving aide (unless there are special circumstances such as a doctor-patient relationship or an on-duty police or other emergency services worker). Basically it is legal (though not ethical) to watch a person drown and now give aide as long as you do not obstruct another in the supply of the said aide and are in no way responsible for the resultant condition (i.e. the person being in the water).
That said there are statuary offences that have extended the common law. An example of this is that of a Failure of a driver to stop and render assistance, or leaving the scene of an accident. Neither of these is at all relevant to the issue of reporting an offence.
Next to; "In the case of an individual with no training/certification, they are generally not protected under good Samaritan laws if they attempt to render assistance."
Actually this is the wrong way around. The common technical classification of what is a "good Samaritan law" is deigned to protect from blame those who choose to aid others who are injured or ill.
They are more designed to protect a lay person who is supplying aide. In many cases, esp. in the US, a doctor may decide not to become involved as the act would leave him/her vulnerable to a civil suit through negligence if it could be proved.
If we take a copy of a (names changed to protect the guilty) charge sheet for failure to render assistance;
Person X, the defendant in this case, has been charged with the crime of failure to render assistance.
To prove that the defendant committed this crime, the state must prove beyond a reasonable doubt each of the following elements:
(1) the defendant was involved in an accident while driving a vehicle;
(2) the accident resulted in injury to or the death of another person;
(3) at the time the accident occurred, the defendant knew (his) (her) vehicle was involved in an accident;
(4) the defendant either knew of the injury or knew that the accident was of such a nature that one would reasonably anticipate that it resulted in injury to a person; and
(5) the defendant did not render reasonable assistance to the injured person.
See for example AS 28.35.060(a) & (c); Kimoktoak v. State, 584 P.2d 25, 32 (Alaska 1978).
So basically these are all arguments which are unrelated to the issue of a discovery of any illegal activity.
Regards,
Craig
-----Original Message-----
From: Dotzero [mailto:dotzero@gmail.com]
Sent: Wednesday, 12 July 2006 8:16 PM
To: pen-test@securityfocus.com
Subject: Spam: Re: what to do it illegal activity found during pen-test
Just to comment on people equating "good samaritan laws" to reporting
porn. Bad analogy...very bad analogy.
Consider (at least in many/most U.S. states) what the good samaritan
law does. It does NOT protect the average person if they attempt to
provide assistance. It only protects individuals with training that
act within the scope of their training and professional expertise. So
a doctor or nurse is clearly protected when providing assistance
except in cases of gross negligence or malfeasance, etc.
In the case of an individual with limited training, it only protects
the individual rendering assistance within very defined circumstances.
So (and I do have first aid and aed/cpr certifications) there are a
few conditions:
1) if the person is conscious they have the right to refuse
assistance. If you attempt to provide assistance after they refuse it
you are not protected. The exception to this is if they are not
conscious, in which case most states have implied consent.
2) If the individual does not follow the procedures in the training or
goes beyond the scope of the training they are generally not protected
by good samaritan laws.
In the case of an individual with no training/certification, they are
generally not protected under good samaritan laws if they attempt to
render assistance.
The purpose of good samaritan laws is to give an incentive to trained
individuals to render assistance in the case of an accident or
emergency. That is a very limited and defined scope.
Moving on to reporting alleged kiddie porn in the course of a
professional engagement. You have no protection whatsoever under the
concept of good samaritan laws. If you commit a tort by misreporting
you are subject to civil action and your liability is your liability
(to whatever extent that is).
How many people on this list are willing to claim expertise in kiddie
porn that should/would match the analogy of good samaritan law
structure?
It's interesting that most people are focusing only on kiddie porn
when there are so many other types of activities one is likely to come
across during a pen-test or audit.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:15 EDT