Firewall Wizards mailing list archives
RE:Vulnerability Scanners ( was: concerning ~el8 / proje ct mayhem )
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Mon, 26 Aug 2002 10:11:07 -0500
From: Paul D. Robertson [mailto:proberts () patriot net] Sent: Monday, August 26, 2002 8:15 AM On Mon, 26 Aug 2002, B. Scott Harroff wrote:loss. Commensurate discipline would be a slap on the hand. If Jim surfs to a porn site (often) and Jane who sees this feels
sexually
ofended and harassed, and the company does not follow up with stopping folks like Jim, the company could face a embarrasing and expensive law
suit....
Actually, I think it's not necessarily good to stop "folks like Jim-" the "bad apple" defense means you *must* stop Jim once he's reported. However, if you put in a mechanism and it has flaws, you
What mechanism won't have flaws?
could be more liable for the things that get through than you are if you don't try. Suddenly you've placed yourself in the position of an editor,
You are only the editor if you are editing...what about subscription services that provide "block lists"...are you still considered the editor, when you are only blocking categories, and not individual URL's?
and legally, not trying and not failing is different than trying and
failing. To me the above argument applies if you are an ISP, but not a non-ISP corporation. People seem to forget that businesses are not democracies, and the employee doesn't have the same rights as he/she would have in the "real world." See the "No expectation of privacy" clause in the email/Internet policy of prudent corporations. I thought in order to protect in the case of lawsuits, a company can show they were making "reasonable" attempts to prevent such activity from occurring. Who can say they are completely effective in being able to stop "folks like Jim" without disconnecting from the Internet. The Internet was built to give one multiple ways to get what they want, and more ways are being discovered and/or implemented to provide just that. I.E. If I can't get it via HTTP, I'll use FTP, or Instant Messenger Direct Connection, or zip it up in an email, or post it out on my project specific website and password protect for only my "buddies" to get to, yadda, yadda, yadda.
Agreed on both counts. Not taking action can be very expensive though.....As important as taking action is *when* you take action- and preemptive strikes can cost you in court where post-event action won't.
If you continue to ignore the issue and take no pre-emptive measures, then post-event-only action may cost you as well. This mindset would potentially (and in my opinion, doubtfully) only work on the VERY first case at one's company. What Judge is going to believe you "didn't know you were supposed to keep the garbage out by filtering/blocking?" Even so, all other cases would then require pre-emptive action, or the Judge could say "Don't you (the company) get the hint? You need to stop this activity for ALL employees, not just those that are being reported. Don't let me see you in this court-room again, without having taking any precautions about preventing this."
About the only preemptive action that seems to have not landed anyone in hot water is training.
Training? What training? ;-)
Paul
Jeff All comments are my own and in no way should be taken to be those of any company. In fact, they may contain no implicit value whatsoever. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE:Vulnerability Scanners ( was: concerning ~el8 / proje ct mayhem ) Behm, Jeffrey L. (Aug 26)
- RE:Vulnerability Scanners ( was: concerning ~el8 / proje ct mayhem ) Paul Robertson (Aug 26)