On Mon, 28 Jun 1999, Technical Incursion Countermeasures wrote:
> At 09:21 27/06/99 -0400, you wrote:
> >Slightly off-topic: - could the owner of a LAN (be it company, university
> >or whatever) be held responsible for a hack attack on another computer
> >system originating from one of the computers on its network?
>
> As far as I know it should not be unreasonable to assume that this will
> occur sooner or later. I can see two areas for a case here..
>
> One is the one of direct assult on behalf of the organisation. In
> otherwords someone within your org mounts an attack against another org -
> it can be held reasonable that the originating org had full knowledge of
> this occuring.
If this were the case, it'd be pretty cut and dried, and no ammount of
outbound filter rules would stop it from happening. Voluntarily doing
something wrong means taking the consequences, and there's little an
administrator can currently do to protect against it outside of
trusted networks. Certainly fairly open Internet access won't give them
any such tools.
> Two A tort case for criminal negligence. In other words if the attack came
> form your systems then you should be aware and your security should be good
> enough. Therefore you have a duty to ensure that you are not aiding or
> abetting criminals.
What standard would you apply to "good enough?" The parallel would be
holding a car owner liable for hit and run because his car was
stolen from his house and the criminal ran over someone with it. We all
know car windows can be broken. Is an unalarmed car "good enough?" What
about street parking? IMO a civil case has a much better chance of being
successfully brought against someone than a criminal negligence case. It'd
be pretty difficult to argue to a jury that a buffer overflow attack was
something the average computer user needed to know how to (or even could)
protect against given the nature of the proprietary software market.
Even more difficult to prove negligence if the intruder removed any trace of
the method of entry. Given the range of possible attacks and possible
attackers, I'm not sure that "you should be aware" has a sound basis
either. As far as I know, "aiding or abetting" has to be a choice, not
happenstance because you didn't alarm your house before the
criminal broke in and stole your car keys.
> Anyway - if its in the US - I'm sure someone will try and sue sooner or
> later :}
I'm sure too, I just think it's not happened because there needs to be a
significant ammount of true negligence or co-option. If it were any
other way, companies which hired people with a clue about what attacks
were possible would be in more danger of losing litigation than those
which weren't. Just because I know you can drown someone in a bucket of
water doesn't mean that I'm liable for you drowning someone with it if I
leave a bucket on my back step.
As always, I am not a lawyer and I don't play one on the Net.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
