Re: [logs] Logging standards?

From: Sweth Chandramouli (svcat_private)
Date: Sat Oct 27 2001 - 14:38:24 PDT

  • Next message: Rich Salz: "Re: [logs] Logging standards?"

    On Sat, Oct 27, 2001 at 01:59:41PM -0700, todd glassey wrote:
    > 
    >    Ridiculous Carl - The only Judge that would allow a court to equate
    >    Logging with Wiretapping is one that did not understand systems
    >    logging or timesharing.
    	It's not completely ridiculous; ECPA 1986 explicitly
    extends the Wiretap Act to apply to "live" monitoring of electronic
    communications with no audio component (since ones with an audio
    component were already covered by the Wiretap Act).
    	The catch, however, is that ECPA mostly restricts the
    government's ability to do "live" monitoring.  There has yet to be any
    legislation or case law (of which I'm aware) that changes what ECPA has
    to say about voluntary disclosure of log information to the government,
    which is basically that log/transactional data is considered a subset
    of "non-content records"; such records are (somewhat) fully-disclosable
    to the government--in the worst-case reading of ECPA, the data would
    only be admissable if the government agent who received it had already
    obtained a section 2703(d) order to "force" the party to disclose its
    logs; the important thing, then, is to make sure that whomever you talk
    to in the government when pursuing something for which logs would be
    an important piece of evidence does take the appropriate measures to
    make that data admissable.  (Wow.  That was a long sentence.  My
    apologies.)
    	The site that Carl cited advocates the use of banner
    messages to obtain implicit permission to monitor activities.  While
    such banners can never hurt and should always be used, however, they
    are impossible to implement for non-interactive transactions (e.g. a
    port scan); I haven't seen any evidence, moreover, that the
    restrictions that such banners circumvent apply to transactional logs,
    which another part of that same DoJ site
    (<http://www.cybercrime.gov/searchmanual.htm#IIIe2>) explicitly gives
    the same interpretation that I describe above.  That section, in fact,
    also points out that hackers, by virtue of not being subscribers or
    customers of the providers of the communications service being
    monitored, should not be able to use the ECPA protections.
    	(The chart in section IIIf of that document is also a
    good summary of the various types of information ECPA covers and how
    information disclosure for them are handled.)
    
    	IANAL, YMMV, don't try this at home, etc.  I'd be very
    interested in discussing this further off-list with anyone who knows of
    actual cases where ECPA has been applied to transactional records.
    
    	-- Sweth.
    
    -- 
    Sweth Chandramouli ; <svcat_private>
    President, Idiopathic Systems Consulting
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Sat Oct 27 2001 - 15:26:22 PDT