RE: Who's liable?

[Russell Berry <russ () berrex com>]

The wording of our constitution stipulates that a law enforcement agency must
produce a PERP.  A single individual or individuals that may be PERSONALLY held
accountable for the alleged crime.  Do NOT think for a moment, even in these
times of increased federal jurisdiction that your civil liberties will have
become so frail that the FBI (or other entities) may walk in and take your
equipment/records/business.

Oh, that was the politically correct answer.  My real thoughts are:
Log everything
Expect the feds to rip your life out from under you at any moment
Log everything
Wear Kevlar
Log everything
Buy a gas mask
Log everything
Buy Cipro
Log everything
Analyze your relationship with every human being you ever come in contact with
Log everything
Be paranoid
Log everything
Buy a canary
Know that one day it will be demanded that you prove your right to exist
Drink lots of water
Read between the lines of nonsense
You are liable for anything you have the most remote knowledge of
Know right from wrong.

---russ



On 13-Oct-01 Michael F. Bell wrote:
> These are fictional scenarios that I am SURE that
> other people would like to discuss.
>
> Lets say you are a small realty agency, and you provide internet access
> to your employees and one of your employees hacks into the Whitehouse
> website from your internal network.  You do not have any logging going
> on from your SOHO firewall and the FBI shows up at your door one day
> with a warrant to search your computers for evidence of hacking into the
> Whitehouse website.  The FBI searches all 10 computers in your network
> and comes up without any hard evidence from these 10 machines linking
> them to the the hack into the Whitehouse website.  Your company is not
> doing  any firewall logging and you do not have any public servers that
> could have been hacked so someone could have remotely launched the
> attack?  All that the FBI has is your publicly NAT'ed firewall address.
>
> Who is liable??  What can the FBI do at this point?
>
> The above scenario is all fictional from my standpoint.  I could imagine
> that this is someones reality though...
>
> Lets change the victim from a Goverment agency to a private one.  Lets
> say that EBAY got hacked and they launched the same sort of
> investigation with the same findings..  What can be done from a legal
> /financial standpoint if an attack is detected from your company network
> and there is no proof on exactly who did it?  Can the victims take legal
> action against you, or is there some sort of protocol from a legal
> standpoint that hinders this?  
>
> > Michael Bell
> > mike_b () rhinobyte com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


Russell Berry
Berrex Computer Solutions
FireWallZ.Com
http://www.berrex.com
russ () berrex com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com