RE: Remote Access Banners

["Bob Radvanovsky" <rsradvan () unixworks net>]

Go here: http://www.unixworks.net/papers/wp-007.pdf.

Though there weren't any laws enacted (per se) that *require* that banners
be implemented, just about EVERY federal government system today has a login
or remote banner of some sort.

Essentially, it disclaims the servicing party of whatever they're
disclaiming.  The one I liked best was the one that the Naval Medical Center
at Great Lakes, IL had, and I have modified it over the years, with the
approval from 3 legal departments from previous employers that I have worked
for -- it states the following syntax:

!!!!!!  W A R N I N G  !!!!!!

THIS IS A PRIVATE COMPUTER SYSTEM.
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized
use. All computer systems may be monitored for all lawful purposes,
including to ensure that their use is authorized, for management of the
system, to facilitate protection against unauthorized access, and to verify
security procedures, survivability and operational security. Monitoring
includes active attacks by authorized personnel and their entities to test
or verify the security of the system. During monitoring, information may be
examined, recorded, copied and used for authorized purposes. All information
including personal information, placed on or sent over this system may be
monitored. Uses of this system, authorized or unauthorized, constitute
consent to monitoring of this system. Unauthorized use may subject you to
criminal prosecution. Evidence of any such unauthorized use collected during
monitoring may be used for administrative, criminal or other adverse action.
Use of this system constitutes consent to monitoring for these purposes.

What is the message stated here, and what was not given?

Not given were the following:
(1) No server name is shown.
(2) No functionality of the server is shown (i.e. mail or web server, etc.).
(3) No keywords shown: "welcome", "open", or anything stating openness.
(4) No network address is shown (no IP, no DNS, no nuttin').
(5) No company name or affiliation is shown.
(6) No facility, division, department or otherwise is shown.
(7) No geographic location is shown.
(8) No purpose of the server is shown or provided.

Message states that:
(1) The server is monitored.
(2) No timeframe given as to time, duration, or any specificity is provided.
(3) Nothing stated about who would perform the monitoring, other than it is.
(4) Statement of what could happen if "digitally trespassed".
(5) Purpose of the disclaimer.
(6) No copying of data.
(7) No unauthorized access of server, data, or anything contained therein.
(8) Access is method of acceptance.
(9) Access is method of consent of rules.

Modifications from the original disclaimer:
(1) Second line: "THIS IS A PRIVATE COMPUTER SYSTEM.".
(2) If a publically accessible system would be stated differently.

-----Original Message-----
From: Jeff Stebelton [mailto:jeff.stebelton () gmail com] 
Sent: Wednesday, July 06, 2005 7:26 AM
To: security-basics () security-focus com
Subject: Remote Access Banners

Can someone point me to the statues that govern the need for remote
access warning banners, such as those used on telnet or ftp servers?
Are there any cases where a banner was not used, and consequently an
attacker was not successfully prosecuted or/and got a reduced
sentence?


jeff