[Dshield] Re: South Carolina, Computer Crime, etc. -- A point of legal clarification.

Ed Truitt ed.truitt at etee2k.net
Mon Aug 26 12:37:28 GMT 2002


There have been several good points made in response to my original
(somewhat paranoid?) reply.  I think there is one other thing that hasn't
been brought up, yet:  the wild variation of technical expertise of the
"systems admins" out there.  Let's face it, anyone with access to the
"Admin" id on an XP-Home box is technically a system admin.  However, I
wouldn't expect the average home user to even THINK of a formal written IP
policy - and, as we found with Nimda and SQLSnake, there are "user-level"
programs that install "server level" software (IIS and SQL Server) - and,
yes, this isn't limited to MS and Windows (just look at a "complete" Linux
install).

Combine this with the fact that prosecutors tend to target those without
substantial funds as being easier to convict, the desire of communities to
use criminal prosecution to "make a statement", and the fact that your
average jury probably knows even LESS about this topic than the prosecutor
does - and then change Mark's scenario to read:

"If you happened to be a foreign national, say of  middle-east extraction,
residing in the US, operating a computer system at your home, and your
system is hacked and used to initiate a substantial DDOS against the SC
power grid which results in a state-wide power outage, you might be
surprised at the definition of normal due diligence that is applied to you."
And, my guess, the definition would in part depend on how high the body
count is.

BTW, I was just kidding about my router DENY tables.  After all, one of my
boxes is still running Win95(!), so any claim I make of being "up to date"
would be shot down almost immediately.

Regards,
-etee

----- Original Message -----
From: "Mark Rowlands" <mark.rowlands at minmail.net>
To: <list at dshield.org>; "Jon R. Kibler" <Jon.Kibler at aset.com>
Cc: "Ed Truitt" <ed.truitt at etee2k.net>
Sent: Monday, August 26, 2002 12:14 AM
Subject: Re: [Dshield] Re: South Carolina, Computer Crime, etc. -- A point
of legal clarification.


> On Sat August 24 2002 21:04, Jon R. Kibler wrote:
> > Ed:
> >
> > Please RELAX!
> >
> > I had the same concerns about this law when it was under discussion in
the
> > SC Senate Judiciary Committee. However, there is nothing to worry about
> > here, so long as you exercise normal due diligence as a systems security
> > administrator.
>
> Heartening words,  but given the level of paranoia in the US about
homicidal
> terrorists wielding killer computer virii combined with the generally low
> level of expertise and knowledge of computer technology of the average
> prosecutor, I wouldn't want to rely on what appears to qualify as "normal"
> due diligence.
>
> If you happened to be a foreign national, say of  middle-east extraction,
> residing in the US, operating a computer system in the US and your systems
> are hacked and used to initiate a substantial DDOS against a governmental
> agency, you might be surprised at the definition of normal due diligence
that
> is applied to you.
>
> Conclusion:-
>
> Have a written policy, implement it, document that you implemented it,
keep it
> up to date and don't  eat yellow snow.
>




More information about the list mailing list