On Sun, 27 Jun 1999, Brian Steele wrote:
> Slightly off-topic: - could the owner of a LAN (be it company, university
> or whatever) be held responsible for a hack attack on another computer
> system originating from one of the computers on its network?
It's possible, but doesn't seem to have happened in any significant way
yet in the US. The Internet is of course multi-jurisdictional, so
multi-national corporations have more to lose (having entities and having
to do business in contries that may not hold agreements with the US on
cross-prosecuting, seizing assets, etc.
> The reason I ask this question is that I get the impression that people are
> paying the most attention to what comes IN through the Firewall, and little
> if any attention to what goes OUT through the same doorway.
That's predominantly because the US legal system has held the "bad apple"
defense as valid for many, many years. What that boils down to is that
as long as a company has written policies describing acceptable
behaviour, and generally that doesn't *usually* have to cover saying
criminal behaviour is wrong (The Trade Secret Act and relevent defenses
in that area as well as in the area of the hostile workplace tend to be
the standards best put to policy and reaction to the reporting of an
incident IMO (but I am *not* a lawyer and I don't play one on the 'Net.)
the then company is able to discharge it's own liability by pointing the
litigation at the employee doing the bad stuff.
The real gray [grey] area seems to be in holding someone negligent if
they don't secure a system well enough to prohibit its use as a jumping
off point to attack another network. Generally though, we'd see a
significant increase in liability cases if it were held true that
something had to be protected to an extreme to absolve the owner of
liability. "Best common practice" doesn't seem to be a valid defense for
liability, so common sense wouldn't hold well if the US court system
started to hold liability chains as a significant factor in assigning
blame. The landmark in that area is a very old case about a Great Lakes
fishing company that didn't issue life jackets to its crew at a time
(early 1900's IIR) when most fishing crews weren't given safety
equipment. While it servers as a landmark for best common practice not
being valid, I'm not sure it wouldn't also serve as a landmark for
corporate liability if someone using the company's equipment for their
own banking or trading weren't fully protected from harm.
I'm currently dancing part of the continuing "go ask the lawgeeks the
difficult questions" dance. Most of the internal liability questions I've
asked have been met with the idea that the court system and legal system isn't
really going to rain doom down upon folks for this stuff. Policy
statements seem to be a good legal defense in most instances. Setting
standards and using standards to secure machines may increase or decrease
liability - nobody seems too sure yet.
Given the number of jurisdictions applicable, it's a monster nightmare.
It's hard enough coming up with a boilerplate "John Doe" complaint that
even a handful of US jurisdictions will take seriously enough to issue
subpoenas in a civil complaint (for most cracking issues, criminal
investigation seems to take entirely too long to get moving to ensure
logs and disks are obtained).
Don't forget that service providers don't seem to have Common Carrier
protections in the US yet either, so there's more than a single can of
worms to be opened in this area.
Some of these laws, such as (I think) the Trade Secrets Act can make a
sysadmin *criminally liable* for content on their systems. It's obvious
that there's a long way for the law to go before it gets a handle on
things like steganography. Proving that a company didn't steal the trade
secrets on its servers will be a fairly high hurdle. The only saving
grace so far for the Trade Secrets Act is that the AG of the United
States personally oversees every case brought under that statute.
Someone pointed out in the thread-that-would-not-die that software
licensing seems to have protected manufacturers from liabilty in these
types of cases so far. If it's repeatable, then I think bi-directional
connectivity licenses would provide much the same protection in
networking if it becomes necessary. If they aren't enforcable, then things
get pretty ugly pretty quickly.
Once one ambulance-chaser gets a good liability precident set, I'm going
into the sysadmin insurance business. It'll be a booming market.
The lawyers and prosecutors I've spoken to on liability issues outside of
my company and firms contracting for my company all seem to think its
just a matter of time before the floodgates open. My company gets sued
pretty much every single day, so the perspective there isn't as much on
lawsuit avoidance (We do as much of that as possible, but unlike most
companies, we don't hold it as earth-shattering when someone issues a
complaint against us) as it is on not losing if and when it happens. We
keep enough clued lawyers and lawfirms around that it's no big deal.
That's obviously not the norm, and if your company's business model
doesn't contain a sizable legal budget, you're best off spending some
up-front money getting qualified opinions before it's too late.
I will say that it's almost *always* best to get at least some of the
stuff out of the way first, because you *will* have to educate the
lawyers on technical issues. The more time they have to think about
that, the better they'll do in filings, pleadings, and explainations to
judges - for both defense and as the plaintiff.
I am not a lawyer, consult competent legal counsel, yadda, yadda, yadda.
As a side note, outside lawyers are always good for picking up lunch tabs -
and they all eat in good places :)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
