I don't know how it happened, but that was a typo on the question I posed to Slashdot. It was NOT a very lame attempt to coin a bogus new term! I still don't know how the word "Network Security" got truncated to "Webcurity."
I HATE that term as much as anyone - so let's kill it once and for all and chalk it up to a very BAD typo.
"The US can't do a darn thing to them since they aren't in this country." The US can establish jurisdiction over Elcomsoft because they have appeared in court subject to jurisdiction here. You're right, if Dmitry had never entered the company, or Katalov didn't appear before the court, then they could only file charges, but couldn't ge their hands on them from Russia. Unfortunately, that is not how this story played out.
First, you shouldn't stop if the $5,000 threshold isn't met, because there are also state laws that can apply. Also, the new USA PAtriot Act practically makes it impossible not to reach the $5,000 - they count almost everything now.
Second, there is the real problem of bad PR - but if the system was not locked down well, then people should know if their info, for example, is vulnerable. The problem is that it is a management decision, and they end up blaming IT even after they slashed the budget. I don't have any solutions here. I think you'll see litigation in this area that will reduce mgmt incentive to be preoccupied with the negative consequences of PR.
Third, there has actually been a recent proposal that might help - Critical Information Infrastructure Act (I think) that will encourage companies to cooperate with the gov't and each other without fear of the Freedom of Info Act or anti-trust. There are some things that can happen at the federal level. Most Congressional staffers are clueless about network security issues (they can't be up on everything...), but hopefully there is someone they listen to that you can get to. And I've found that the "IT" advisor is really open to positive criticism - people just have to be heard.
I think some of the legislation that is under consideration will not ADD burdens to infosec, but hopefully strip down some of the burdens. But I agree, we should be VERY careful what we ask for, because we might just get it - in the form of a political compromise.
Several posters have been upset that a lawyer would "lobby" and work behind the scene to work for "clueless" Senators.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the/. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking/. what is important to them and letting a Senator know - for what its worth. That's all.
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk/cyberlaw if you want to add any more comments.
Several posters have been upset that a lawyer would "lobby" and work behind the scene to work for "clueless" Senators.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the/. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking/. what is important to them and letting a Senator know - for what its worth. That's all.
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk.cyberlaw if you want to add any more comments.
This is an interesting idea. However, given the reality of politics, I can't imagine the govn't, who is in a deficit situation, funding a competitor of MSFT. I'm all for Open Source as a major solution to security, and perhaps there can be more aggressive laws or enforcement supporting copyleft. I tried to run the concept of tax rebates for security upgrades, but he said that in reality, he would rather see the private sector deal with it - for example, with reductions in insurance premiums for passing certain security levels as the financial incentive. I sympathize with your concept, but I'm a bit leery of having the gov't involved with anything concerning Open Source or FreeSoftware. What is your take?
Actually, I'm a member of EFF and do pro bono work with them on some of the DMCA cases. I feel strongly about what they do, and what they stand for. But they approach the issues from a policy viewpoint, and the point of asking the/. crowd was to get "at the terminal" feedback from people who actually have to live with the laws that are coming down the pipe. Thanks.
I agree 100% with your comments. Just as I'm appalled by the French court's Yahoo! ruling, I'm also appalled by the recent extra-jurisdictional attempts in the USA Patriot Act to rope in conduct outside of our borders. Same with the Dmetry case. In the short term, I think many of these are going to be held unconstitutional. But it is going to be ugly in the meantime. I will be sure to mention your comments. Thanks.
Aren't you being a bit hard? Would you rather Senators NOT listen to people who are affected by the laws they make? Also, notice I didn't say he wanted to involve gov't. He wants to know the concerns in the industry, because he also is sceptical of gov't involvement as the answer to many things that can be best sorted out in the private sector.
Also, there is a BIG difference between not understand what is going on in the private sector and concerned about what is going on.
Too many people bitch about what Congress does, but also THEN bitch at them for asking what people actually think! Which one is it?
There are serious consequences about the laws being made right now, as so many people have pointed out. It is not helpful to throw tomatoes from the gallery at people who are actually trying to listen and do the right thing before we have to live with any more poorly thought out laws.
I assume he did vote for the USA Patriot Act - but considering only 1 Senator voted against it (Feingold), your "odds" were certainly right. But the odds were actually 98 out of 99.
First of all, I'm not a lobbyist, I'm not being paid for this. Period. And you are sorely mistaken if you believe that the government networks do not have any "skin" in the game. He was leaning more towards breaking down the barriers between gov't and the private sector so everyone can work together. But unfortunately, there are too many people who feel the gov't admins are less capable, or less trustworthy, or that cooperation with the Feds will compromise some sort of confidentiality. There ARE positive things that Congress can do. This Senator shares the view of most contributors here at/. that the answer is not in MORE federal laws, but mature cooperation.
I agree with your comments about liability for negligent operation of networks. However, I think you have confused who is in the pockets of the trial lawyers. The Dems are the ones who get their funding from the Trial Lawyers Assoc. and it is the Republican pols who are always trying to cap jury awards and limit contingency fees.
I would like to thank the/. community for some truly outstanding and thought-provoking comments. You can be sure that a summation of these comments will be reviewed by the Senator over the Christmas holidays. This is an area of urgent concern for him. I will submit a draft of the summary to the/. editors and perhaps they will post it for your review. Thanks again for the time you have taken to respond. Bill
, is that if you're not into editting the text of the posts but are displaying them verbatim, then you cannot be responsible for them. You're just a carrier of the message.
Tecnically, this is not true. IAAL, and in most jurisdictions, it comes down to your notice that material is infringing, contains trade secrets, defamatory, etc... the ususal stuff that invokes 3rd party liability.
A newspaper retains a bunch of lawyers exactly for the fact that they DO have liability as a publisher. With defamation, for example, if they published it with a reckless disregard for the truth, they can be liable, unless the article involved a public figure.
Bottom line - be caureful what you exercise editorial control over because it is evidence of "notice" and deliberation.
Most of it comes down to awareness, and your actions after you become aware of the "problem." For example, with defamatory material, there has to be some level of notice before you can normally be liable. You could be in trouble if you encourage people to post things you know are defamatory, but that might be pushing it. This crosses into the complex area of First Amendment law, prior restraint and publisher's rights. Bottom line, if someone contacts you that there is defamatory material on your site, best take it down and let those two fight it out.
Same with copyright infringement. Under the DMCA, you have to be put on notice that someone is using your site to infringe on another's rights. Once you are on notice, the DMCA (17 U.S.C. Sec. 512) spells out the specific procedure to hide behind the safe harbor so you are not liable, provided you follow certain procedures.
Overall, while this isn't speicific legal advice, generally, you should react quickly to notifications, and otherwise keep a hands-off policy on all other comments to weaken the argument of your complicity.
In defense of - yuck! - litigation
on
Lawsuits Suck
·
· Score: 1
Look... I can understand the ambivilence, or hostility, towards the role that lawyers play in the economy. I don't defend the bloodsucking contingency lawyers that lurk behind every tort. But if you take a step back and look at the upcoming wave of litigation, the Internet needs it. The lax standards and vulnerable protocols have allowed people to be negligent with their network activity that they would never get away with in the real world. When a company refuses to secure their networks against, for example, denial of service daemons, why shouldn't the guy who is targeted get pissed at the guy who allowed his computer to participate in the attack?
I really ate to admit it, but cars and air travel are safer as a result of previous litigation that required the companies to look out for the good of others. Isn't it time we estblish a bit of accountabilty on the Interent?
The reason we wrote the opening sentence that way was to diminish and poke fun at the concept of Hollywood "hackers" as portrayed in the movies - not validate it. Nothing could be more bogus than the hacker portrayal in "Hackers" - the movie. And that is exactly the point. There are real legal issues behind the Computer Fraud and Abuse Act. the point of the article was to briefly demonstrate how the "type" of hacking execution and the status of the victim can seriously impact your criminal liability. It hasn;t been really discussed in detail, and people need to understand how the nuances of technique affect the law, and maybe more importantly, affect how the law is being re-written up on Capitil Hill as we speak. As I mentioned before, much of this article is written to luddite lawyers to get them up to speed on the law. We're speaking to DefCon on Friday about the more intricate application of the code. But any critiques you have are cetainly welcome. Bill Reilly
Thanks for the response to the article on cyber-crime. I was a co-author on the article. You have to remember the audience we were trying to educate, before you get too picky with some of the choice of words we sued in the article. We wanted to give the legal community a very fundamental basis for evaluating 18 U.S.C. Sec. 1030. There were a lot of times that we didn't really want to express things the way we did, but the audience for that particular piece was the relatively unsophisticated lawyer with little experience in technical issues. We're speaking at Def Con 8.0 in Vegas on Friday on more of the detailed application of 1030 as well as upcoming changes to the code that are going to drastically change cybercrime prosecution and civil actions. Enjoy the article, but please remember it wasn't written for the "slashdot" crowd - although, there are still legal applications of the law that you might find interesting. Bill Reilly
Slashdot Mirror
This article should help clear up some of the jurisdiction issues so companies don't target US consumers with software that might violate the DMCA.
I HATE that term as much as anyone - so let's kill it once and for all and chalk it up to a very BAD typo.
"The US can't do a darn thing to them since they aren't in this country." The US can establish jurisdiction over Elcomsoft because they have appeared in court subject to jurisdiction here. You're right, if Dmitry had never entered the company, or Katalov didn't appear before the court, then they could only file charges, but couldn't ge their hands on them from Russia. Unfortunately, that is not how this story played out.
What are you talking about? The case isn't over - Elcomsoft is still in position to take it to the top, if necessary.
I don't know how it happened, but it was a TYPO. I tried to straigten it out. So NO - I was not trying to coin some lame new term!
Second, there is the real problem of bad PR - but if the system was not locked down well, then people should know if their info, for example, is vulnerable. The problem is that it is a management decision, and they end up blaming IT even after they slashed the budget. I don't have any solutions here. I think you'll see litigation in this area that will reduce mgmt incentive to be preoccupied with the negative consequences of PR.
Third, there has actually been a recent proposal that might help - Critical Information Infrastructure Act (I think) that will encourage companies to cooperate with the gov't and each other without fear of the Freedom of Info Act or anti-trust. There are some things that can happen at the federal level. Most Congressional staffers are clueless about network security issues (they can't be up on everything...), but hopefully there is someone they listen to that you can get to. And I've found that the "IT" advisor is really open to positive criticism - people just have to be heard.
I think some of the legislation that is under consideration will not ADD burdens to infosec, but hopefully strip down some of the burdens. But I agree, we should be VERY careful what we ask for, because we might just get it - in the form of a political compromise.
That's a funny comment, DeanOh. But no... as you can read on comment #499, I'm not taking a thing - but I can understand where you're coming from.
Several posters have been upset that a lawyer would "lobby" and work behind the scene to work for "clueless" Senators.
/. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking /. what is important to them and letting a Senator know - for what its worth. That's all.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk/cyberlaw if you want to add any more comments.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the /. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking /. what is important to them and letting a Senator know - for what its worth. That's all.
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk.cyberlaw if you want to add any more comments.
This is an interesting idea. However, given the reality of politics, I can't imagine the govn't, who is in a deficit situation, funding a competitor of MSFT. I'm all for Open Source as a major solution to security, and perhaps there can be more aggressive laws or enforcement supporting copyleft. I tried to run the concept of tax rebates for security upgrades, but he said that in reality, he would rather see the private sector deal with it - for example, with reductions in insurance premiums for passing certain security levels as the financial incentive. I sympathize with your concept, but I'm a bit leery of having the gov't involved with anything concerning Open Source or FreeSoftware. What is your take?
It was a stupid typo - not a really annoying new term. Sorry.
Actually, I'm a member of EFF and do pro bono work with them on some of the DMCA cases. I feel strongly about what they do, and what they stand for. But they approach the issues from a policy viewpoint, and the point of asking the /. crowd was to get "at the terminal" feedback from people who actually have to live with the laws that are coming down the pipe. Thanks.
Sorry - "WEBCURITY" was a typo for Web Security. I wasn't trying to coin some lame new term.
I agree 100% with your comments. Just as I'm appalled by the French court's Yahoo! ruling, I'm also appalled by the recent extra-jurisdictional attempts in the USA Patriot Act to rope in conduct outside of our borders. Same with the Dmetry case. In the short term, I think many of these are going to be held unconstitutional. But it is going to be ugly in the meantime. I will be sure to mention your comments. Thanks.
Also, there is a BIG difference between not understand what is going on in the private sector and concerned about what is going on.
Too many people bitch about what Congress does, but also THEN bitch at them for asking what people actually think! Which one is it?
There are serious consequences about the laws being made right now, as so many people have pointed out. It is not helpful to throw tomatoes from the gallery at people who are actually trying to listen and do the right thing before we have to live with any more poorly thought out laws.
I assume he did vote for the USA Patriot Act - but considering only 1 Senator voted against it (Feingold), your "odds" were certainly right. But the odds were actually 98 out of 99.
First of all, I'm not a lobbyist, I'm not being paid for this. Period. And you are sorely mistaken if you believe that the government networks do not have any "skin" in the game. He was leaning more towards breaking down the barriers between gov't and the private sector so everyone can work together. But unfortunately, there are too many people who feel the gov't admins are less capable, or less trustworthy, or that cooperation with the Feds will compromise some sort of confidentiality. There ARE positive things that Congress can do. This Senator shares the view of most contributors here at /. that the answer is not in MORE federal laws, but mature cooperation.
I agree with your comments about liability for negligent operation of networks. However, I think you have confused who is in the pockets of the trial lawyers. The Dems are the ones who get their funding from the Trial Lawyers Assoc. and it is the Republican pols who are always trying to cap jury awards and limit contingency fees.
I would like to thank the /. community for some truly outstanding and thought-provoking comments. You can be sure that a summation of these comments will be reviewed by the Senator over the Christmas holidays. This is an area of urgent concern for him. I will submit a draft of the summary to the /. editors and perhaps they will post it for your review. Thanks again for the time you have taken to respond. Bill
, is that if you're not into editting the text of the posts but are displaying them verbatim, then you cannot be responsible for them. You're just a carrier of the message.
Tecnically, this is not true. IAAL, and in most jurisdictions, it comes down to your notice that material is infringing, contains trade secrets, defamatory, etc... the ususal stuff that invokes 3rd party liability.
A newspaper retains a bunch of lawyers exactly for the fact that they DO have liability as a publisher. With defamation, for example, if they published it with a reckless disregard for the truth, they can be liable, unless the article involved a public figure.
Bottom line - be caureful what you exercise editorial control over because it is evidence of "notice" and deliberation.
Same with copyright infringement. Under the DMCA, you have to be put on notice that someone is using your site to infringe on another's rights. Once you are on notice, the DMCA (17 U.S.C. Sec. 512) spells out the specific procedure to hide behind the safe harbor so you are not liable, provided you follow certain procedures.
Overall, while this isn't speicific legal advice, generally, you should react quickly to notifications, and otherwise keep a hands-off policy on all other comments to weaken the argument of your complicity.
Look... I can understand the ambivilence, or hostility, towards the role that lawyers play in the economy. I don't defend the bloodsucking contingency lawyers that lurk behind every tort. But if you take a step back and look at the upcoming wave of litigation, the Internet needs it. The lax standards and vulnerable protocols have allowed people to be negligent with their network activity that they would never get away with in the real world. When a company refuses to secure their networks against, for example, denial of service daemons, why shouldn't the guy who is targeted get pissed at the guy who allowed his computer to participate in the attack? I really ate to admit it, but cars and air travel are safer as a result of previous litigation that required the companies to look out for the good of others. Isn't it time we estblish a bit of accountabilty on the Interent?
The reason we wrote the opening sentence that way was to diminish and poke fun at the concept of Hollywood "hackers" as portrayed in the movies - not validate it. Nothing could be more bogus than the hacker portrayal in "Hackers" - the movie. And that is exactly the point. There are real legal issues behind the Computer Fraud and Abuse Act. the point of the article was to briefly demonstrate how the "type" of hacking execution and the status of the victim can seriously impact your criminal liability. It hasn;t been really discussed in detail, and people need to understand how the nuances of technique affect the law, and maybe more importantly, affect how the law is being re-written up on Capitil Hill as we speak. As I mentioned before, much of this article is written to luddite lawyers to get them up to speed on the law. We're speaking to DefCon on Friday about the more intricate application of the code. But any critiques you have are cetainly welcome. Bill Reilly
Thanks for the response to the article on cyber-crime. I was a co-author on the article. You have to remember the audience we were trying to educate, before you get too picky with some of the choice of words we sued in the article. We wanted to give the legal community a very fundamental basis for evaluating 18 U.S.C. Sec. 1030. There were a lot of times that we didn't really want to express things the way we did, but the audience for that particular piece was the relatively unsophisticated lawyer with little experience in technical issues. We're speaking at Def Con 8.0 in Vegas on Friday on more of the detailed application of 1030 as well as upcoming changes to the code that are going to drastically change cybercrime prosecution and civil actions. Enjoy the article, but please remember it wasn't written for the "slashdot" crowd - although, there are still legal applications of the law that you might find interesting. Bill Reilly