Forwarded from: "smoshlak@interserv.com" <smoshlak@interserv.com>
To: abriney@infosecuritymag.com
TAC-
Although defense counsel can subpoena records and perform depositions
(within reason), there has to be something known as relevance to the
matter. Any competant counsel can have this type of scenario blown
out of the water, using the following analogy.
A person has entered upon another's property and is charged with
trespass. Did he crawl over the fence, drive through the fence or
parachute onto the property? Shall we call in the gate builder, the
architect or the manufacturer to testify about the security of gate
and fence? Whether it was made of wood, chain link or of the
"concertina-wire" type? It doesn't matter, since he has trespassed.
In this case, they were able to identify the who, where and the what.
Whether or not an institution has a security plan (for purposes of the
Court), is irrelevant. A computer network is not a swimming pool,
which is defined by law as an "attractive nuisance." This individual
allegedly tried to extort money from an entity, whether the threat is
real or perceived. Specifically speaking, if one walks into a bank
and states to the teller, "I have a pistol in my pocket and to fill
the bag up with money..," and doesn't have a pistol, but takes the
bank's money, begs the question: Is it still robbery?
Having Michael Bloomberg to the stand to testify about his information
systems security plan or outlining, in detail, his digital
infrastructure was irrelevant and immaterial, considering the
circumstances. The same holds true for other employees in his office.
Just my thoughts,
Steven Moshlak
Expert Witness, Information Security and Technology
Original Message:
-----------------
From: InfoSec News isn@c4i.org
Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT)
To: isn@attrition.org
Subject: [ISN] On Trial - Prosecuting cybercrime puts your
organization--andyour security--on the hot seat.
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm
l
By Carole Fennelly
October 2004
Attorney: Is it fair to say that, prior to March 24, 2000, you were
not aware of [a] bug that allowed someone to enter the system?
Bloomberg: That's correct. It's not just someone. You would have to
work pretty hard to do it and have to be reasonably competent to do
it.
Attorney: Would it be fair to say that that bug was a dangerous threat
to the security of your system?
Bloomberg: Absolutely.
-Testimony of Michael Bloomberg, U.S. v. Zezev
New York City Mayor Michael Bloomberg endured more than an hour of
cross-examination during the 2003 criminal trial of Oleg Zezev, a
Russian citizen later convicted of hacking Bloomberg LLP's network and
making extortion demands. Bloomberg didn't make excuses for weaknesses
in the company's digital infrastructure. He met the issue head-on.
Is your CEO prepared to do that?
Your company will undergo intense scrutiny if a case against a
cybercrime suspect goes to trial. Your employees, from the IT staff to
the corner office, will be cross-examined by defense attorneys, who
will attack their competence, challenge their statements and attempt
to discredit corporate polices and processes. Internal, often
sensitive, documents and information may become part of the public
record, and, if the case generates enough buzz, it's fair game for CNN
and The New York Times.
When your company takes the stand, you're asking for an open--and very
public--security audit. Although you can't control everything that
goes on in the courtroom, you can prepare your employees for the
concentrated defense questioning.
[...]
_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/
