RE: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat.

From: InfoSec News (isn@private)
Date: Thu Oct 21 2004 - 01:10:02 PDT


Forwarded from: Carole Fennelly <fennelly@private>
Cc: abriney@private

Relevence is definatly important, and I thought that was the point I made here 
(though it could have been clearer):
"Through the discovery process, the defense counsel has access to all seized 
evidence and can subpoena anything that may show negligence or weaken the
					^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 case--possibly revealing holes in IT security policies, processes and 
infrastructure. If your security is weak, it's much more difficult to
prove that a particular individual was responsible for the crime. "

As to the issue of trespass, we don't know that the defendant *has*
trespassed, which is why we're in trial (innocent till proven
guilty?).The trespass is a matter of fact to be determined by the
jury. And it is perfectly relevent to get the architect of the gate in
to determine if someone else could have been the guilty party because
of a weakness in the gate. 18 USC 1030 states that you have to
deliberately trespass or attempt to trespass in order to be found
guilty. If through a buggy interface, you inadvertently trespass,
there is no guilt under 18 USC 1030.

As to the Bloomberg case, the point the defense was making was that
the defendant performed a service to demonstrate his skills by
reviewing the security of the system and documenting its failings. The
Bloomberg people were not aware of the failings before the defendant
informed them and were able to redesign the system to be more secure.
The defense contention was that the defendant very naively thought
they would be pleased by his unsolicited "service" and pay him for his
time (and hire him to do more work). The argument was also on the
extortion charge, not just the trespass (there was also argument that
he was a valid trial user of the Bloomberg software and was checking
the security). Defense contended that extortion was not intended, but
there were communication problems (defendant's English wasn't good)
and the defendant was being an agressive "risk taker", much like
Michael Bloomberg was himself when he started his company.

The US vs. Zezev case is a matter of public record and makes
interesting reading, if you are a computer crime geek. The judge,
Kimba Wood, did rule that Bloomberg's testimony was relevent,
especially regarding his perception on extortion.  Bloomberg stated in
a previous deposition, unrelated to this case, that he felt a sexual
harrassment suit filed against his company by a former female
executive was a form of extortion. The defense tried to show that
Bloomberg saw an extortion attempt where there was none. The point I
was making is that you really don't know how the judge will rule on
relevence until it comes up. That's why attorneys get to say
"Objection: Relevance" and the judge can say "Sustained" or
"Overruled".


-cf

>---------- Forwarded message ----------
>Date: Mon, 18 Oct 2004 06:56:25 -0400
>From: "smoshlak@private" <smoshlak@private>
>To: abriney@private
>Cc: isn@private, isn@private
>Subject: RE: [ISN] On Trial - Prosecuting cybercrime puts your
>    organization--andyour security--on the hot seat. 
>
>TAC-
>
>Although defense counsel can subpoena records and perform depositions
>(within reason), there has to be something known as relevance to the
>matter.  Any competant counsel can have this type of scenario blown out of
>the water, using the following analogy.
>
>A person has entered upon another's property and is charged with trespass. 
>Did he crawl over the fence, drive through the fence or parachute onto the
>property?  Shall we call in the gate builder, the architect or the
>manufacturer to testify about the security of gate and fence?  Whether it
>was made of wood, chain link or of the "concertina-wire" type?  It doesn't
>matter, since he has trespassed.  
>
>In this case, they were able to identify the who, where and the what. 
>Whether or not an institution has a security plan (for purposes of the
>Court), is irrelevant.  A computer network is not a swimming pool, which is
>defined by law as an "attractive nuisance."  This individual allegedly
>tried to extort money from an entity, whether the threat is real or
>perceived.  Specifically speaking, if one walks into a bank and states to
>the teller, "I have a pistol in my pocket and to fill the bag up with
>money..," and doesn't have a pistol, but takes the bank's money, begs the
>question: Is it still robbery?
>
>Having Michael Bloomberg to the stand to testify about his information
>systems security plan or outlining, in detail, his digital infrastructure
>was irrelevant and immaterial, considering the circumstances.  The same
>holds true for other employees in his office.  
>
>Just my thoughts,  
>
>Steven Moshlak
>Expert Witness, Information Security and Technology
>
>Original Message:
>-----------------
>From: InfoSec News isn@private
>Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT)
>To: isn@private
>Subject: [ISN] On Trial - Prosecuting cybercrime puts your
>organization--andyour security--on the hot seat. 
>
>
>http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm
>l
>
>By Carole Fennelly
>October 2004
>
>Attorney: Is it fair to say that, prior to March 24, 2000, you were 
>not aware of [a] bug that allowed someone to enter the system?
>
>Bloomberg: That's correct. It's not just someone. You would have to 
>work pretty hard to do it and have to be reasonably competent to do 
>it.
>
>Attorney: Would it be fair to say that that bug was a dangerous threat 
>to the security of your system?
>
>Bloomberg: Absolutely. 
>
>-Testimony of Michael Bloomberg, U.S. v. Zezev 



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Oct 21 2004 - 02:12:47 PDT