RE:Vulnerability Scanners ( was: concerning ~el8 / proje ct mayhem )

["Behm, Jeffrey L." <BehmJL () bvsg com>]

> From: Paul D. Robertson [mailto:proberts () patriot net] 
> Sent: Monday, August 26, 2002 8:15 AM
>
> On Mon, 26 Aug 2002, B. Scott Harroff wrote:
>
> > loss. Commensurate discipline would be a slap on the hand.  
> > If Jim surfs to a porn site (often) and Jane who sees this feels
sexually
> > ofended and harassed, and the company does not follow up with stopping 
> > folks like Jim, the company could face a embarrasing and expensive law
suit....
> Actually, I think it's not necessarily good to stop "folks like Jim-" the 
> "bad apple" defense means you *must* stop Jim once he's reported.  
> However, if you put in a mechanism and it has flaws, you

What mechanism won't have flaws? 

> could be more liable for the things that get through than you are if you 
> don't try. Suddenly you've placed yourself in the position of an editor, 

You are only the editor if you are editing...what about subscription
services that
provide "block lists"...are you still considered the editor, when you are
only
blocking categories, and not individual URL's?

> and legally, not trying and not failing is different than trying and
failing.

To me the above argument applies if you are an ISP, but not a non-ISP
corporation.
People seem to forget that businesses are not democracies, and the employee
doesn't
have the same rights as he/she would have in the "real world." See the "No
expectation of privacy" clause in the email/Internet policy of prudent
corporations.

I thought in order to protect in the case of lawsuits, a company can show
they were
making "reasonable" attempts to prevent such activity from occurring. Who
can say they
are completely effective in being able to stop "folks like Jim" without
disconnecting
from the Internet.

The Internet was built to give one multiple ways to get what they want, and
more ways
are being discovered and/or implemented to provide just that. I.E. If I
can't get it via
HTTP, I'll use FTP, or Instant Messenger Direct Connection, or zip it up in
an email, 
or post it out on my project specific website and password protect for only
my "buddies"
to get to, yadda, yadda, yadda.

> > Agreed on both counts.  Not taking action can be very 
> > expensive though.....
>
> As important as taking action is *when* you take action- and 
> preemptive 
> strikes can cost you in court where post-event action won't.  
If you continue to ignore the issue and take no pre-emptive 
measures, then post-event-only action may cost you as well.
This mindset would potentially (and in my opinion, doubtfully)
only work on the VERY first case at one's company. What Judge
is going to believe you "didn't know you were supposed to keep
the garbage out by filtering/blocking?" 

Even so, all other cases would then require pre-emptive action,
or the Judge could say "Don't you (the company) get the hint? You
need to stop this activity for ALL employees, not just those that
are being reported. Don't let me see you in this court-room again, 
without having taking any precautions about preventing this."

> About the only preemptive action that seems to have not landed anyone 
> in hot water is training.

Training? What training? ;-)
> Paul

Jeff

All comments are my own and in no way should be taken to be those of any
company.
In fact, they may contain no implicit value whatsoever.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards