Forwarded from: "smoshlak@private" <smoshlak@private> To: abriney@private TAC- Although defense counsel can subpoena records and perform depositions (within reason), there has to be something known as relevance to the matter. Any competant counsel can have this type of scenario blown out of the water, using the following analogy. A person has entered upon another's property and is charged with trespass. Did he crawl over the fence, drive through the fence or parachute onto the property? Shall we call in the gate builder, the architect or the manufacturer to testify about the security of gate and fence? Whether it was made of wood, chain link or of the "concertina-wire" type? It doesn't matter, since he has trespassed. In this case, they were able to identify the who, where and the what. Whether or not an institution has a security plan (for purposes of the Court), is irrelevant. A computer network is not a swimming pool, which is defined by law as an "attractive nuisance." This individual allegedly tried to extort money from an entity, whether the threat is real or perceived. Specifically speaking, if one walks into a bank and states to the teller, "I have a pistol in my pocket and to fill the bag up with money..," and doesn't have a pistol, but takes the bank's money, begs the question: Is it still robbery? Having Michael Bloomberg to the stand to testify about his information systems security plan or outlining, in detail, his digital infrastructure was irrelevant and immaterial, considering the circumstances. The same holds true for other employees in his office. Just my thoughts, Steven Moshlak Expert Witness, Information Security and Technology Original Message: ----------------- From: InfoSec News isn@private Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT) To: isn@private Subject: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat. http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm l By Carole Fennelly October 2004 Attorney: Is it fair to say that, prior to March 24, 2000, you were not aware of [a] bug that allowed someone to enter the system? Bloomberg: That's correct. It's not just someone. You would have to work pretty hard to do it and have to be reasonably competent to do it. Attorney: Would it be fair to say that that bug was a dangerous threat to the security of your system? Bloomberg: Absolutely. -Testimony of Michael Bloomberg, U.S. v. Zezev New York City Mayor Michael Bloomberg endured more than an hour of cross-examination during the 2003 criminal trial of Oleg Zezev, a Russian citizen later convicted of hacking Bloomberg LLP's network and making extortion demands. Bloomberg didn't make excuses for weaknesses in the company's digital infrastructure. He met the issue head-on. Is your CEO prepared to do that? Your company will undergo intense scrutiny if a case against a cybercrime suspect goes to trial. Your employees, from the IT staff to the corner office, will be cross-examined by defense attorneys, who will attack their competence, challenge their statements and attempt to discredit corporate polices and processes. Internal, often sensitive, documents and information may become part of the public record, and, if the case generates enough buzz, it's fair game for CNN and The New York Times. When your company takes the stand, you're asking for an open--and very public--security audit. Although you can't control everything that goes on in the courtroom, you can prepare your employees for the concentrated defense questioning. [...] _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Oct 20 2004 - 00:24:23 PDT