[ISN] To key or not to key

From: mea culpa (jerichoat_private)
Date: Thu Aug 20 1998 - 01:24:30 PDT

  • Next message: mea culpa: "[ISN] AUCRYPTO: PRIVACY AMENDMENT BILL 1998 [Attorney General]"

    Forwarded From: blueskyat_private
    Originally  From: SpyKingat_private
    There has been a lot of talk about PC security lately with the release of
    programs like Back Oriface and the multitude of keystroke logging programs
    available on the net. 
    Many computer systems administrators, security personnel and even parents
    use keystroke logging programs as a means of monitoring employees, system
    intruders and children. Is it legal? 
    According to U.S. Code section 2512 it may not be... 
    U.S.Code 2512 states: 
    >Except as otherwise specifically provided in this chapter, any person who
    intentionally -
    >(a) sends through the mail, or sends or carries in interstate or foreign
    commerce, any >electronic, mechanical, or other device, knowing or having
    reason to know that the >design of such device renders it primarily useful
    for the purpose of the surreptitious >interception of wire, oral, or
    electronic communications;
    >(b) manufactures, assembles, possesses, or sells any electronic,
    mechanical, or other >device, knowing or having reason to know that the
    design of such device renders it >primarily useful for the purpose of the
    surreptitious interception of wire, oral, or >electronic communications,
    and that such device or any component thereof has been >or will be sent
    through the mail or transported in interstate or foreign commerce; or
    >(c) places in any newspaper, magazine, handbill, or other publication any
    >advertisement of - (i) any electronic, mechanical, or other device
    knowing or having >reason to know that the design of such device renders
    it primarily useful for the purpose >of the surreptitious interception of
    wire, oral, or electronic communications; or
    >(ii) any other electronic, mechanical, or other device, where such
    advertisement >promotes the use of such device for the purpose of the
    surreptitious interception of wire, >oral, or electronic communications,
    knowing or having reason to know that such >advertisement will be sent
    through the mail or transported in interstate or foreign >commerce, shall
    be fined under this title or imprisoned not more than five years, or
    >both. " 
    Hmm... primarily useful for the purpose of surreptitious interception of
    electronic communications... What else is a keystroke recorder good for? 
    See the problem? 
    According to this law the design, manufacture, possession and use of this
    software is illegal. Just advertising it for sale is also a felony...
    Lets say you wanted to keep an eye on your spouse... Maybe you think she
    is spending too much time in the chat rooms... You decide to put a
    keystroke recorder on YOUR PC that SHE uses... is it legal? Under this
    law?  I think not... 
    How about checking on your children to see what they are up to on the net? 
    Wouldn't it be the same as a telephone recorder attached to your phone
    line and hidden in the basement to record your spouse? Thats a felony
    isn't it?  Quite a few folks have been prosecuted for it... and convicted
    when caught... 
    A short time ago a teenager was caught using a "program" that recorded
    keystrokes that allowed him access to AOL user names and passwords. He was
    convicted under THIS SAME LAW and is now awaiting sentencing in Southern
    District of New York.
    The sentence he faces is 5 years in jail and a $250,000. fine... 
    A few years ago CERT broadcasted an advisory that warned system
    adminstrators that keystroke monitoring may be illegal and advised them to
    place a warning to users of the system. 
    >The CERT Coordination Center has received information from the United
    States >Department of Justice, General Litigation and Legal Advice
    Section, Criminal Division, >regarding keystroke monitoring by computer
    systems administrators, as a method of >protecting computer systems from
    unauthorized access.
    >The information that follows is based on the Justice Department's advice
    to all federal >agencies. CERT strongly suggests adding a notice banner
    such as the one included >below to all systems. Sites not covered by U.S. 
    law should consult their legal counsel.
    >The legality of such monitoring is governed by 18 U.S.C. section 2510 et
    seq. That >statute was last amended in 1986, years before the words
    "virus"  and "worm" became >part of our everyday vocabulary. Therefore,
    not surprisingly, the statute does not >directly address the propriety of
    keystroke monitoring by system administrators. " 
    Hmmm... so that means that your possession and use of keystroke monitoring
    software may be a felony under this existing law... Lets examine this CERT
    advisory a little more... 
    >Attorneys for the Department have engaged in a review of the statute and
    its legislative >history. We believe that such keystroke monitoring of
    intruders may be defensible >under the statute. However, the statute does
    not expressly authorize such monitoring.  >Moreover, no court has yet had
    an opportunity to rule on this issue. If the courts were >to decide that
    such monitoring is improper, it would potentially give rise to both
    criminal >and civil liability for system administrators.
    "May be defensible"? So in other words its the SysAdmin left holding the
    bag and gambling 5 years of their lives... 
    According to the latest statistics at <http://www.cultdeadcow.com> over
    50,000 people have downloaded Back Oriface alone! There are several sites
    on the net that allow free shareware downloads of their keystroke
    According to this federal law they are felons... both the creators of such
    software and the people who download and use the software... 
    Something has to give... I recognize the legitimate use for this
    software... most on this list will also... it is a necessary tool for a
    variety of legitimate purposes... 
    Our "technically challenged lawmakers" must get their heads out of their
    "you know where"... and change these laws so they allow legitimate
    computer, security and investigative personnel the tools to do their
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:46 PDT