On Mon, 6 Dec 1999, Marc Renner wrote:
> Hi Peter,
>
> Your dilema, is quite typical, however you are far ahead of most would be system
>admins. The majority would simply throw the system together, completely oblivious of
>the ensuing nightmare.
>
> Here's whats going to happen:
Um, no not really...
>
> You're going to put the website up (and probably soon thereafter a mail server).
>Immediately after your web/mail servers are in production, 1000 wannabe hackers (and
>2 very good ones) are going to compromise your system and use it to lauch attacks
>against NASA, the FBI, the White House etc etc..
>
> Next, whatever agency gets pissed off the most is going to call the NSA (National
>Security Agency) who is going to come to your little office and TAKE EVERYTHING YOU
>OWN.
>
> Granted this is Worst_Case_Scenario, however don't be surprised. Id suggest getting
>Linux6.1 (which is Free) and throw it on a little 486 PC with 2 nics. Check out the
>following link for more specific details:
No, this is a fantasy scenerio, NSA doesn't have the power to take
anything in the United States from a US Citizen. In the case that it's
related to intelligence, the FBI has jurisdiction, and a section called
Foreign Counter-Intelligence does the work. The FBI can come in (FCI or
not), the USSS can come in, the US Park Police can come in, the US
Marshalls can come in, the local sheriff/police can come in, but NSA can't
and won't.
Also, all USG agencies would call DOJ or the FBI. NSA might be called if
it was a custodial issue with classified information- not that I think
you'll see more than one system on the Internet with classified on it,
but they'd still be secondary to the FBI.
Besides, civil liability is probably a more likely worst-case than
criminal liabilty if there's no cooperation with the attacker.
In your scenerio he's a victim, and victims don't generally get anything not
directly related to evidence siezed, and sometimes not even that if the
material can be copied and that's enough to make the case. See there's this
little Constitutional issue about siezures and how they have to be related to
the case. Now it's true that things have been getting a little broad on
that score especially in relation to people actually committing crimes,
or people who have a high likelyhood of having done so crimes, but I've
yet to hear of a case where an innocent 3rd party had anything outside the
scope of their own compromise siezed where they weren't the target of the
investigation. Perhaps you could provide some relevent citations?
Finally, most of the breakins I've seen (and they're probably not a
statistically valid sample, but they're better than too many B movies for
a basis) the compromised systems haven't been used to go after inane
targets like the FBI or NSA. Nobody with half a brain would think
there's a good reason for trying to crack NSA unless they were 7 and just
saw War Games- and even then they'd probably have to be drunk.
There are plenty of "worst case" scenerios that can and should be
considered when connecting to the Internet, but this one is more like a
post from alt.conspiracy about jeeps and black helicopters than anything
I'd encourage anyone to make a business decision over.
Make the decision over the cost to the business of Web server compromise,
host compromise, disruption of services, etc. Then weigh the value of a
firewall (which isn't perfect protection) against host security (which is
more perfect but costs more in time and effort and make take social
changes for desktops.) Firewalls are relatively cheap insurance for
networks. They're pretty poor insurance from the government ;)
It's probably more likely that you're worried about someone putting
pornographic images on your Web server than the evil government spooks
stealing all your assetts for their nefarious purposes. That's not such
a good movie plot though.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
