RE: [ISN] Italian Police Nab Hacker Group

From: InfoSec News (isnat_private)
Date: Mon Jan 21 2002 - 00:28:46 PST

  • Next message: InfoSec News: "[ISN] Cylant: Another hack challenge, bigger carrot!"

    Forwarded from: Marjorie Simmons <lawyerat_private>
    [This is the last posting on this topic. - WK]
    The "qualitative damages that are hard to put a dollar figure on" is
    called, in legal-damages parlance, "business good will."  It is
    ascertainable and quantifiable, and has been for a long, long time.
    In law there are the concepts of assumption of the risk, comparative
    negligence, apportionment of damages, and, of course, proof of damages
    in order to (as a prerequisite to) recovery of damages.  I've been
    interested for awhile now that there hasn't been more press skepticism
    nor general business understanding that the assessment of damages from
    defacements subjects itself nicely to such timeworn tests and really
    is little different from other business losses assessments.
    What needs attention is the quite deliberate obfuscation of these
    concepts (by wannabe profiteers as well as by some clueless press
    people) going on at a pretty constant pace.  Folks need to
    disentangle, conceptually, the defacement act and motive from the
    assessment of damages in order to sort out the issues, which are
    multiple.  The relationship(s)  between an act and the consequences
    flowing from that act is (are) not so Byzantine as Windows security.
    I write letters, at times, and in response to the following letter, I
    was met by silence (surprise, surprise): 
    From:   Marjorie Simmons 
    Sent:   Thursday, June 08, 2000 10:52 pm
    To:     'Ms Patrice Rapalus'
    Subject:        5th Computer Crime & Security Survey
    Dear Ms Rapalus,
    With regard to your most recent survey:
    I am curious as to whether your survey asked the respondents 
    1)  whether they reported their losses to 
        their shareholders and investors?
    2)  if not why not?
    3)  if so then why was this not reported on in the survey?
    This information is relevant, important, and, it seems to me that your
    survey is seriously flawed for the lack of this data.  Many a lawsuit
    could be avoided or settled more quickly if companies did not attempt
    to, with impunity, report quite staggering financial losses to the
    press from security breaches and then somehow forget those losses when
    it comes time to communicate with investors and shareholders, not to
    mention with the IRS.
    If this was somehow simply overlooked, I hope you will soon work to
    correct it.  Perhaps in the meantime your staff could query a sampling
    of the survey respondents for this information and post the results on
    your site as a survey supplement.
    Marjorie Simmons
    Lots of other questions I *could* have asked her, but, I knew not to
    waste too much of my time.
    The concepts of assumption of the risk, comparative negligence,
    apportionment of damages, and proof of damages are all rooted in
    common sense and a sense of fair play, but only rarely are they
    considered when some members of the press, driven by whatever impulse,
    run to the people with their Gee Look At This sensationalist
    pontifications. Such behavior is certainly not limited to things
    technical; axiomatically, the more complex the subject matter, the
    more this happens. However, this is but history as usual.
    Luckily, most of the judiciary is a lot smarter than that and lacks
    the agendas of the players in the press and those who pay for the
    dissemination of certain 'news' items. So when defacement cases go to
    court, if they go to court, damages must be proven within a reasonable
    degree of certainty, negligence IS compared, and the assumed risks ARE
    considered (all assuming, of course, that the lawyers involved bring
    these arguments before the court.)
    So while we can try the cases in the Court of Email in order to be
    clearer on the issues and to educate our contemporaries, we should be
    mindful that the concepts are ancient and not difficult to apply, no
    matter the venue.  What is needed is to call the agenda-minded on
    their errors in the more public forum.
    DO try this at home:  give some little gratis presentations to your
    community Rotary club, or other such groups.  (Do it for free in the
    spirit of Open Source -- a public affirmation of no agenda on your own
    part.)  Talk about where a company can expect to face losses and how
    to account for them in real terms, and why. Use real-life examples.  
    Make them ask questions, even those you cannot answer, and suggest for
    those they seek the advice of their accountants and lawyers.  If you
    think yourself (1) too important for this, or (2) not known enough,
    you're (1) not, (2) not giving yourself enough credit.
    Was (is) anyone here a Scout?  or an intelligence officer?  (never
    ...!  ; ) ), a veteran?  Does 'Be Prepared' sound familiar? It will
    get muddier before it becomes Old Hat.
    Marjorie Simmons, Esq.
    On Thursday, January 17, 2002 11:15 pm, InfoSec News [SMTP:isnat_private] wrote:
    | Forwarded from: mezzanine <mezzanineat_private>
    | > I would like to say that anytime a website gets defaced there are
    | > always monetary damages.
    | Very true. I agree.
    | > There are always qualitative damages that are hard to put a dollar
    | > figure on.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 03:47:41 PST