RE: Who's liable?

["Liam Burrow" <afmmd () ihug com au>]

In terms of liability there really are three primary people I suspect you
are asking about:

1. The Person in the company who did it
2. The Network Administrator
3. You, the Manager of the Company

I'll deal with each as we go:

The first person, if they did it, is certainly liable.  Though in order to
convict them of an offence it must be proved beyond a reasonable doubt to a
jury.  Satisfy those things (beyond reasonable doubt, and convince a jury)
then they are guilty.

The second person is the network administrator.  In terms of criminal
liability there is none (there is no requirement for normal civilian people
to be a vigilante).  They haven't committed a crime, negligence is not a
crime, and nor is ignorance.  However, they are not good things under civil
actions, which means that they could be held liable to the manager of the
company that they work for, for not providing the services they were paid
for due to negligence etc.  (And considering if it were the USA the case
occurred in it would more than likely be possible they'd have civil
liability in respect of 'allowing' the criminal to do something wrong :-/).
If a civil case is brought, then a judge (or jury if opted) would need to be
convinced on the balance of probabilities - and that would depend mainly on
their contract of employment (ie is it protect the network focused, or just
make sure the network runs fine, or is it a full security role?).  So
Network admin, possible civil liability but no criminal liability.

3. As you can probably guess the manager will not have any criminal
liability and probably won't even have any civil liability (except,
possibly, in the ironic manner suggested above).

Note, the manager and the network admin must not have known about what was
going on, at least to the extent that they could not be considered
accessories, by aiding and abetting.

Liam
afmmd () ihug com au

-----Original Message-----
From: Michael F. Bell [mailto:mike_b () rhinobyte com]
Sent: Sunday, 14 October 2001 8:12 AM
To: incidents () securityfocus org
Subject: Who's liable?


These are fictional scenarios that I am SURE that
other people would like to discuss.

Lets say you are a small realty agency, and you provide internet access
to your employees and one of your employees hacks into the Whitehouse
website from your internal network.  You do not have any logging going
on from your SOHO firewall and the FBI shows up at your door one day
with a warrant to search your computers for evidence of hacking into the
Whitehouse website.  The FBI searches all 10 computers in your network
and comes up without any hard evidence from these 10 machines linking
them to the the hack into the Whitehouse website.  Your company is not
doing  any firewall logging and you do not have any public servers that
could have been hacked so someone could have remotely launched the
attack?  All that the FBI has is your publicly NAT'ed firewall address.

Who is liable??  What can the FBI do at this point?

The above scenario is all fictional from my standpoint.  I could imagine
that this is someones reality though...

Lets change the victim from a Goverment agency to a private one.  Lets
say that EBAY got hacked and they launched the same sort of
investigation with the same findings..  What can be done from a legal
/financial standpoint if an attack is detected from your company network
and there is no proof on exactly who did it?  Can the victims take legal
action against you, or is there some sort of protocol from a legal
standpoint that hinders this?

> Michael Bell
> mike_b () rhinobyte com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com