Re: Who's liable?

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 13 Oct 2001, Michael F. Bell wrote:

> Lets say you are a small realty agency, and you provide internet access
> to your employees and one of your employees hacks into the Whitehouse
> website from your internal network.
<snip>
> Who is liable??  What can the FBI do at this point? 

        No liability is identified at the time.  But I guarantee you that
the FBI will confiscate all machines on site and send them off for
forensics evidence gathering.  Don't bother objecting that it will cause
your business undue hardship.  LEAs don't care.  Period.

> Lets change the victim from a Goverment agency to a private one.  Lets
> say that EBAY got hacked and they launched the same sort of
> investigation with the same findings..  What can be done from a legal
> /financial standpoint if an attack is detected from your company network
> and there is no proof on exactly who did it?  Can the victims take legal
> action against you, or is there some sort of protocol from a legal
> standpoint that hinders this? 

        Depends on the damages.  If they reach a certain amount, the FBI
will be called in and we're back to situation one as described in the
earlier part of my reply.  If the damages are minimal and don't warrant
FBI involvement, then eBay will simply absorb the loss, (hopefully) make
appropriate updates to their security policies, practices and procedures,
and mush on.

        In the final analysis, any system that can't do even basic
auditing and accountability on their networks will -- at the very least --
wind up on many an admin's firewall blacklist.  I've been doing as much
with abuse-friendly networks since the '90s.  At most, the FBI will be
called in and will (in the name of the law) rip that network's systems
down to the wires. 

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- Peace without honor is life without living. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO8izMrlDRyqRQ2a9AQGjTAP/RtTfnqtnrydG1IAJfBgcBZ331uT0oZ7S
wCYZyAsh27VAmH5sOaquuFF7If5hwqEkZ9qgi7zP4P+AU6m5xvufp2aFA/6hFQSa
U2jgHsgKCNEbGXs3LIKoTCfjdsKRo/V3VcqkyZlPqFXVZ+8eeVk3+D1Nli2DxSRI
ZZtlDllBFMM=
=YJEb
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com