[Dshield] Question on appropriate university research

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Sep 19 20:05:22 GMT 2007

On Wed, 19 Sep 2007 14:26:57 EDT, Valdis.Kletnieks at vt.edu said:

> When exactly did US Cert give this advice, and did they specifically say it
> would apply to portscanners, or was it for the *DIFFERENT* usage case of
> notifying people who *logged in* that activity was monitored and abuse could
> be prosecuted?

Incidentally, the advice regarding login banners has a *different* legal basis.

Basically, it's there so that you, as the systems management, can sustain a
claim that all users, both authorized and unauthorized, had been given notice
and therefor had implied consent to monitoring.  That would render moot any
claim by an attacker that evidence against them had been obtained via an
illegal intercept as defined by 18 USC 2511:


18 USC 2511 (2)(c): 

"It shall not be unlawful under this chapter for a person acting under color of
law to intercept a wire, oral, or electronic communication, where such person
is a party to the communication or one of the parties to the communication has
given prior consent to such interception."

(Remember, in this case, the attacker is one party, and the *other* party is
almost certainly somewhere else - the system owner is *not* one of the parties)

The gotcha is that 18 USC 2515 says basically that if it was an illegal
intercept, both it, and any other evidence it leads to, can't be used in a
court of law.

The average provider actually has a fair amount of legal wiggle room for
traffic monitoring under 18 USC 2511 (2)(a)(i) - the problem is that it's
phrased as "while engaged in any activity which is a necessary incident to the
rendition of his service or to the protection of the rights or property of the
provider of that service,".  Most things sysadmins do as part of their job
are covered under there.  However, being able to add "implied consent" to
the mix helps the legal status a whole bunch....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070919/dc437e22/attachment.bin 

More information about the list mailing list