RE: Consulting Question



'Mens Rea' or guilty mind is essential for fraud.

(A simplified summary of the issue) False statement or false declaration
is a crime of strict liability in most instances. In particular when one
has not (on subsequently discovering the misstatement) repudiated
themself.

For a strict liability crime, all that is required is the "Actus reus".
This is the guilty act.

This is unlike the more severe crimes and offences where "actus non
facit reum nisi mens sit rea" apply (in effect: an act does not make a
person guilty unless the mind is also guilty).

An example where strict liability applies is in traffic offences, it is
no defence to state "sorry officer, I did not realise that I was driving
200km/h over the limit" even if you are 109, half blind and senile and
thus may actually truly not know.

Similarly the distinction from a false statement to fraud is proving
intent. As such, most prosecutors just go the easy path and get a false
statement and a few months. Fraud has the additional element of a guilty
mind - which may be proven through emails; witness statements etc, but
are a lot more work.

So, yes, it is still a crime. Just a lessor one (if that really
matters).

However, I have never found anything amiss (other than a compromise or
bad design) from a security viewpoint just looking at a site. It
requires looking at the java source code or viewing the page source or
similar actions.

The intent of the web page is not to disseminate the source code. It may
be publicly available, but this is still not a defence to pulling it
apart. If you do, than nothing will occur unless you advertise that you
are doing this. That is you contact the site owner or similar.

The maxim that ignorance of the law is no defence has been a part of the
law from the Roman civil republic. So this is nothing new.

Intention just adds to the weight of a crime. There are many strict
liability offences these days. Intention is often out the window.
Further, it does little to help in a civil prosecution. A tortious case
for damages if often just as bad.

Generally (and this is from the 1900 Crimes Act, AU, and it is similar
in the UK) a statement is made in the statute such as "which is false or
misleading in a material particular and is made with reckless disregard
as to whether it is true or is false or misleading in a material
particular". So you're not taking the time to verify the truth of a
statement is in fact the issue at the heart of the matter.

So it is a material statement, thus a statement I have 4 years and 3
months experience on the CISSP application is not material if you have 4
years and 1 month as there is not a distinction (materially) in the
outcome. If in fact you had 3 years and 10 months experience, this is
material at that point.

Clear as mud ;)

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@xxxxxxxxxxx

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: Stephen Thornber [mailto:skthornber@xxxxxxx]
Sent: Friday, 11 May 2007 4:20 AM
To: Craig Wright
Cc: Simmons, James; sammons@xxxxxxxxxx;
security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Consulting Question

Is it a crime if it is done with out 'Mens Rea' ?

I mean in a UK legal context: "guilty state of mind".

Because if you have 'found something to be amiss' with a site as
part of normal browsing then there can be no Mens Rea and if you
found something without knowing it to be a crime again there is no
Mens Rea.

Alternatively of course not knowing the law and what you can and
can't do in this day and age is more often considered as being no
excuse..... I do not agree but then I disagree about a lot of things.

Intention - did you intend to do it? Did you intend to do it well
knowing it to be wrong? did you intend to do it for good, if
misguided, reasons

etc etc.

Stephen Thornber
MRSH, MBCS, CISM, CISSP


On 9 May 2007, at 23:54, Craig Wright wrote:

Chris,
My take would be:
1 Does the company have a statement on their site that
categorically allows you to find other means of access and check the
code?
2 Do they categorically and clearly state that they allow all
forms of deep browsing?
3 Do they ask for you to check and find possible vulnerabilities?
4 Do you have a (good) prior contract with the firm to engage in
these actions.

If the answer is not "yes" to all three you have committed a trespass.
There are limits on an implied access to a website. Any implied (i.e.
not express access as mention above) access is limited by the aims of
the firm and convention. Although public, websites are not designed to
be targets (though they may end up as one).

The result is that you have in fact breached the website owners
property
rights. The result is that in most (US, AU, NZ, EU) jurisdictions, you
have committed a crime if you do this action.

If you approach the firm - you have provided them evidence. If you
post
it to a list in this case there is evidence.

Being public knowledge is not a shield. Estoppel provisions will not
help you other than in for maybe downstream civil consequences. Google
hacking is still a violation. The information is in Google, but you
have
to take an informed action to uncover it. This makes up intent.

Regards,



Relevant Pages

  • Re: Security in the high-tech world of the modern pharmacy
    ... In offenses of strict liability, mens rea is not relevant. ... wishes he could do otherwise than say "Guilty" because of the circs. ...
    (alt.sysadmin.recovery)
  • Re: When can you legally use a gun against an unarmed person?
    ... At the civil trial, the plaintiffs were able to convince ... the jury that it was more likely OJ killed the two victims ... I'm tried for his murder and found "Not guilty" so you ... I'm not suing you for committing a crime. ...
    (talk.politics.guns)
  • Re: When can you legally use a gun against an unarmed person?
    ... IF the civil suit were ... criminal court. ... been ruled "Not Guilty" and the 7A prevented any civil follow-up. ... The not guilty verdict does not say you didn't commit the crime. ...
    (talk.politics.guns)
  • Re: The Catholic Church: Enabling Pedophilia The World Over!
    ... decision to allow the priest to resume his duties on Cardinal ... Whether or not the Pope is "guilty" is ... It was a crime. ... So what are you thoughts about defense attorneys who know that their ...
    (rec.sport.football.college)
  • Re: I Need A Blowjob
    ... He didn't plead guilty to "make it go away"; he pled guilty because he got caught doing what he had been rumored to be doing for quite some time. ... But assuming for the sake of argument that Craig did everything the officer alleged, how was it the basis for a criminal charge that could get him a $1,000 fine and/or ten days in jail? ... Disorderly conduct is a notoriously nebulous crime, allowing police wide discretion in making arrests and charges for conduct or speech that is little more than bothersome to police or to others. ... Craig probably wanted to avoid publicity and pleaded guilty to "disorderly conduct" in a futile effort to save his reputation and his job. ...
    (rec.music.artists.springsteen)