RE: Who's liable?

["Michael Conlen" <meconlen () obfuscated net>]

Michael,

When it comes to issues for criminal and civil liability always consult a
lawyer familiar with the laws in your locale.

Laws differ between different countries. Laws also differ from state to
state as even at finer granularity.

Note: The way the ATA/Patriot/USAA is going crimes covered by the CFA may
end up being considered terrorist activities. You just don't want to roll
dice with that, but again, consult a lawyer.

One thing I've learned having made friends with a laywer recently is that
any opinion I have on the law is generally wrong for weird and strange
reasons. It's just not something to take the advice of anyone not a laywer.

--
Groove On Dude
Michael Conlen
Obfuscated Networking
meconlen () obfuscated net


> -----Original Message-----
> From: Michael F. Bell [mailto:mike_b () rhinobyte com]
> Sent: Saturday, October 13, 2001 6:12 PM
> To: incidents () securityfocus org
> Subject: Who's liable?
>
>
> These are fictional scenarios that I am SURE that
> other people would like to discuss.
>
> Lets say you are a small realty agency, and you provide internet access
> to your employees and one of your employees hacks into the Whitehouse
> website from your internal network.  You do not have any logging going
> on from your SOHO firewall and the FBI shows up at your door one day
> with a warrant to search your computers for evidence of hacking into the
> Whitehouse website.  The FBI searches all 10 computers in your network
> and comes up without any hard evidence from these 10 machines linking
> them to the the hack into the Whitehouse website.  Your company is not
> doing  any firewall logging and you do not have any public servers that
> could have been hacked so someone could have remotely launched the
> attack?  All that the FBI has is your publicly NAT'ed firewall address.
>
> Who is liable??  What can the FBI do at this point?
>
> The above scenario is all fictional from my standpoint.  I could imagine
> that this is someones reality though...
>
> Lets change the victim from a Goverment agency to a private one.  Lets
> say that EBAY got hacked and they launched the same sort of
> investigation with the same findings..  What can be done from a legal
> /financial standpoint if an attack is detected from your company network
> and there is no proof on exactly who did it?  Can the victims take legal
> action against you, or is there some sort of protocol from a legal
> standpoint that hinders this?
>
> > Michael Bell
> > mike_b () rhinobyte com
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com