Re: Executives liable for computer crime? (update)

[Henry Hertz Hobbit <hhhobbit () cs weber edu>]

On Tue, 25 Aug 1998, Wood, Tom D wrote:

> To all,

<snip>

> I don't feel comfortable re-publishing without permission someone else's
> work, but I will paraphrase it enough to get the point across. BTW, the site
> it came from originally is a *very* well known maker of Token based
> authentication systems, you can use your own imagination from there <g>.
>
> It starts out revealing a new Federal regulation (1991) aimed at white
> collar crime that has implications for CEO's, IS mgr's and "other senior
> management". It then goes on to state that the reg holds the CEO and senior
> management responsible for crime involving their organization. Even if the
> crime was obviously a downstream attack using your network as a launchpad,
> your on the hook for up to $290 million in damages and possible corporate
> probation.

I believe this was the law that was passed a few years after
Morris released the worm (accidentally?). It is one of those
"we will show them how tough we can get kind of thing to make
sure if they claimed it wasn't them, if enough evidence showed
they really were the originators (somebody at that site) they
couldn't weasel off. As far as I know, there have been NO
prosecutions of sites that were compromised by somebody else
being prosecuted. It is my opinion that if it was, it would be
like the "no indecent material" through schools law several
years back. The Attorney General was even stupid enough that
when that law was struck down by a Federal court that it was
appealed to the Supreme court which affirmed the earlier Federal
court ruling.

In other words, if you are an innocent victim and somebody used
your compromised network, the likelihood of you being prosecuted
(should we go for "doubly persecuted" instead?) isn't very likely.


Just my 0.02 worth...

HHH