RE: backdoor

["Liam Grant" <Liam.Grant () exodus net>]

Not to comment on the rest of the discussion, but in answer to the question of whether people have been charged for 
leaving machines up after compromise.

I am aware of at least one case in the US, reported in the media, where a small ISP was being DoS'd (along with their 
customers).  They managed to get a temporary restraining order requiring the disconnection and proper securing of the 
computers of 5 major companies taken over and used in the attack.  The judge ordered all machines in the hosting data 
center belonging to those companies disconnected until such time as the owners could show due diligence and care in 
preventing further attacks through their machines.

This is a long way from criminal neglect, and I don't know the further disposition of the case, but it ain't peanuts.  
Will you be held responsible if your machines are used to attack someone else and you don't do anything (or enough)?  
It depends on the jurisdiction and the judge.  This was before 9/11, so take that into account in the response also.



Liam Grant
Senior Security Consultant
Exodus, A Cable & Wireless Service
Delivering the Internet promise
www.exodus.net
liam.grant () exodus net
(781) 522 7621    Office
(617) 201 9035    Mobile 
Address 175 Wyman Road, Waltham MA 02451

[Statements above do not reflect the opinions of my employers.]

-----Original Message-----
From: Christopher L Calvert [mailto:ccalvert () us ibm com]
Sent: Sunday, 23 June, 2002 10:35 PM
To: incidents () securityfocus org
Subject: Re: backdoor



> S.O.P. (Standard Operating Procedures) describe that a compromised box
> should be considere lost and be installed from scratch.>
>
> If you want to play with in isolation to learn more about the culprit that

> is your decision.
>
> However leaving a compromised system online makes you guilty of criminal
> neglect. (Aiding and embedding criminals and all that sort of thing.)

This is very commonly quoted to me as a justification for all kinds of
security
requirements. I have never found case law that supports this point of view;
I am even still looking for the actual law or decision that makes this
point. I
could easily be wrong, and I do agree strongly with the premise but this
advice
if not legally substantiated is bad. Does anyone have concrete legal case
law
or decisions to support this point of view and have civil or criminal
charges been
filed and won on this point as it applies to compromised systems? Thanks...

-- Chris

> As there is never a good waranty on trying to clean a compromised box you
> should not attempt it. (After all the box would most likely not be
> compromised if you were on the front of things.)
>
> Hugo.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com