Let's take that one step further. Let's also ban fax machines. You know, I could end up faxing something sensitive and type in the wrong phone number! (Oh noes!)
It's easy:
They don't decide to not HIRE you. They decide instead to not even INTERVIEW you.
Anymore, you don't so much apply for a position as submit a resume for consideration.
Standard disclaimer should apply: Talk to your corporate legal counsel first.
What are you going to do when a user goes on vacation for 1-2 weeks and can no longer remember their password to boot up the system? What you going to do in a similar situation if the person is a "road warrior"?
How are you going to ensure access to the data during a legal compliance exercise (order of preservation or a subpoena for specific records)? If each user selects their own password/phrase to secure the drive, now what?
How will you handle shared workstations? Share passwords? How will you "revoke" access or force a rekeying when someone leaves the organization?
Given the current administration, let's take this assertion to the next logical level. If anything or anyone traversing a US "border" is subject to warrantless search by US agents, then all network traffic is subject to similar search. By extension, you must provide the keys necessary to effect said searches.
There is another argument to made with regard to possession of photo-realistic child porn (CP). Abusers of children who possess child porn *could* use that porn to entice other children into an abusive situation. They use the CP to normalize it to the child, "See, Johnny? These kids are doing it, and this one is smiling in the picture. They like it, and so will you!"
Can I cite studies proving this usage pattern? Nope.
The problem we run into with saying CG images should be illegal if depicting someone underage -- depending on whether a reasonable person would believe that the "subject" in the photo would be under 18 -- is we enter into self censorship. I could point to real 20 year olds that look 16, and 16 year olds that 20. With a provably real photo you have decent chance of documenting when it was taken and therefore demonstrating the age of the subject when the photo was produced. In CG, you don't have a subject for which you can document a real age.
Demonstrate to me that a large majority of companies out there actually have the intent to report to law enforcement with regard to intrusions.
As I stated in another thread, most of the existing laws on this matter (esp. Virginia) have a carve-out exception for "proprietary employees" -- those that are direct, W2 employees. Such persons can generally engage in an otherwise regulated activity so long as it is within the confines of their job for that employer. If you decide you want to make a little side money doing this work for other companies as well, then you are a contractor and need to conform to the full scope of the law and regulations.
I know there are a number of states that require apprenticeships prior to obtaining an individual license. I also recognize that there are a couple "support retired law enforcement through protectionism" states that hold that only former LEs can become PIs. In those states where the regulatory overhead is that high, it may very well make sense to create a parallel registration and licensing scheme, but be careful what you are asking for! I can envision a well-intentioned state legislator seeing "forensics" and thinking it belongs in the same part of the regulations covering people doing DNA analysis and ballistics.
Generally speaking, you would be considered a "proprietary employee". You are not offering that primary skillset on a for-hire basis to more than your primary employer.
Good lord! In just about every state the licensing requirement does not prove you have a specific skillset.
There are PIs that specialize in TSCM (Technical Surveilance CounterMeasures -- electronic bug hunters that sweep rooms, etc...), workers comp cases, divorce/infidelity, competitive intelligence (thinking of buying a company?), background investigations, skip tracing, and yes, computer forensics.
The license is a means to gate who can operate on a for-hire basis to introduce evidence into a court or other similar body. That's it.
Read the existing laws. The article cites at least six states with some laws already on the books. Go read them and understand what they really require.
Is it your intent or that of your client that the case go before a judge in a court of law? If so, then pony up and get licensed.
If it is your intent to merely "investigate" the root cause and help a customer recover to a pre-intrusion state, then you likely would not need to be licensed. (At least that is how VA law reads to me, in my case).
""Private investigator" means any individual who engages in the business of, or accepts employment to make, investigations to obtain information on (i) crimes or civil wrongs; (ii) the location, disposition, or recovery of stolen property; (iii) the cause of accidents, fires, damages, or injuries to persons or to property; or (iv) evidence to be used before any court, board, officer, or investigative committee. "
and
9.1-139. Licensing, certification, and registration required; qualifications; temporary licenses.
"C. No person shall be employed by a licensed private security services business in the Commonwealth as armored car personnel, courier, armed security officer, detector canine handler, unarmed security officer, security canine handler, private investigator, personal protection specialist, alarm respondent, central station dispatcher, electronic security sales representative, electronic security technician's assistant, or electronic security technician without possessing a valid registration issued by the Department, except as provided in this article."
Note, there is very similar language under New York State laws as well. In fact it's all damn near boiler plate, they are so similar. I would suspect several other states therefore have comparable laws on the books already (No, I have not yet bothered to RTFA). Just because lots of people have been doing it for a while because they were/are ignorant of the law does not excuse it. They are committing a Class 1 misdemeanor. Any decent opposing council will move to exclude any evidence produced by an unlicensed/unregistered company or person.
9.1-149. Unlicensed activity prohibited; penalty.
"C. Any person convicted of a violation of subsections A or B shall be guilty of a Class 1 misdemeanor. "
Yeah... when the malware injects itself into the running explorer.exe, you usually are pretty screwed!
Oh wait! Gee, you COULD boot into safe mode where the majority of this crap (even the "shell-injector") do not auotload. You'll have to scan, reboot, scan, reboot, etc about 20 times, but eventually you will have a mostly clean system.
This leaves us with two problems still: (1) that the majority of the malware being used for spam and DDoS are not detected by most AV products, and (2) the user must then sufficiently patch their OS to keep from being owned within the first two minutes of being back online.
$ISP should negotiate deeply discounted rates with "Worst Buy" and their Geek Patrol so that people can make an honest effort at cleaning their machines.
The Security Jobs mailing list is a good place to start.
When my company was looking for an intern for our incident response and audit team, we turned to that list. There was a standout resume and post from one student in particular... we hired him on. If we have a fulltime professional slot that opens, we'll likely reach out to him first.
Slashdot Mirror
Let's take that one step further. Let's also ban fax machines. You know, I could end up faxing something sensitive and type in the wrong phone number! (Oh noes!)
Virginia has a dial-before-you-dig system called "Miss Util". [ www.missutility.net ]
This of course presumes that a law enforcement officer could distinguish between a server, a storage array, and a lite brite!
It's easy: They don't decide to not HIRE you. They decide instead to not even INTERVIEW you. Anymore, you don't so much apply for a position as submit a resume for consideration.
Standard disclaimer should apply: Talk to your corporate legal counsel first.
What are you going to do when a user goes on vacation for 1-2 weeks and can no longer remember their password to boot up the system? What you going to do in a similar situation if the person is a "road warrior"?
How are you going to ensure access to the data during a legal compliance exercise (order of preservation or a subpoena for specific records)? If each user selects their own password/phrase to secure the drive, now what?
How will you handle shared workstations? Share passwords? How will you "revoke" access or force a rekeying when someone leaves the organization?
Given the current administration, let's take this assertion to the next logical level. If anything or anyone traversing a US "border" is subject to warrantless search by US agents, then all network traffic is subject to similar search. By extension, you must provide the keys necessary to effect said searches.
Sounds entirely reasonable to me.
There is another argument to made with regard to possession of photo-realistic child porn (CP). Abusers of children who possess child porn *could* use that porn to entice other children into an abusive situation. They use the CP to normalize it to the child, "See, Johnny? These kids are doing it, and this one is smiling in the picture. They like it, and so will you!"
Can I cite studies proving this usage pattern? Nope.
The problem we run into with saying CG images should be illegal if depicting someone underage -- depending on whether a reasonable person would believe that the "subject" in the photo would be under 18 -- is we enter into self censorship. I could point to real 20 year olds that look 16, and 16 year olds that 20. With a provably real photo you have decent chance of documenting when it was taken and therefore demonstrating the age of the subject when the photo was produced. In CG, you don't have a subject for which you can document a real age.
Demonstrate to me that a large majority of companies out there actually have the intent to report to law enforcement with regard to intrusions.
As I stated in another thread, most of the existing laws on this matter (esp. Virginia) have a carve-out exception for "proprietary employees" -- those that are direct, W2 employees. Such persons can generally engage in an otherwise regulated activity so long as it is within the confines of their job for that employer. If you decide you want to make a little side money doing this work for other companies as well, then you are a contractor and need to conform to the full scope of the law and regulations.
I know there are a number of states that require apprenticeships prior to obtaining an individual license. I also recognize that there are a couple "support retired law enforcement through protectionism" states that hold that only former LEs can become PIs. In those states where the regulatory overhead is that high, it may very well make sense to create a parallel registration and licensing scheme, but be careful what you are asking for! I can envision a well-intentioned state legislator seeing "forensics" and thinking it belongs in the same part of the regulations covering people doing DNA analysis and ballistics.
Generally speaking, you would be considered a "proprietary employee". You are not offering that primary skillset on a for-hire basis to more than your primary employer.
Good lord! In just about every state the licensing requirement does not prove you have a specific skillset.
There are PIs that specialize in TSCM (Technical Surveilance CounterMeasures -- electronic bug hunters that sweep rooms, etc...), workers comp cases, divorce/infidelity, competitive intelligence (thinking of buying a company?), background investigations, skip tracing, and yes, computer forensics.
The license is a means to gate who can operate on a for-hire basis to introduce evidence into a court or other similar body. That's it.
Read the existing laws. The article cites at least six states with some laws already on the books. Go read them and understand what they really require.
Is it your intent or that of your client that the case go before a judge in a court of law? If so, then pony up and get licensed.
If it is your intent to merely "investigate" the root cause and help a customer recover to a pre-intrusion state, then you likely would not need to be licensed. (At least that is how VA law reads to me, in my case).
From the Code of Virginia:
9.1-138. Definitions.
""Private investigator" means any individual who engages in the business of, or accepts employment to make, investigations to obtain information on (i) crimes or civil wrongs; (ii) the location, disposition, or recovery of stolen property; (iii) the cause of accidents, fires, damages, or injuries to persons or to property; or (iv) evidence to be used before any court, board, officer, or investigative committee. "
and
9.1-139. Licensing, certification, and registration required; qualifications; temporary licenses.
"C. No person shall be employed by a licensed private security services business in the Commonwealth as armored car personnel, courier, armed security officer, detector canine handler, unarmed security officer, security canine handler, private investigator, personal protection specialist, alarm respondent, central station dispatcher, electronic security sales representative, electronic security technician's assistant, or electronic security technician without possessing a valid registration issued by the Department, except as provided in this article."
Note, there is very similar language under New York State laws as well. In fact it's all damn near boiler plate, they are so similar. I would suspect several other states therefore have comparable laws on the books already (No, I have not yet bothered to RTFA). Just because lots of people have been doing it for a while because they were/are ignorant of the law does not excuse it. They are committing a Class 1 misdemeanor. Any decent opposing council will move to exclude any evidence produced by an unlicensed/unregistered company or person.
9.1-149. Unlicensed activity prohibited; penalty.
"C. Any person convicted of a violation of subsections A or B shall be guilty of a Class 1 misdemeanor. "
No, this is not in stark contrast to the PA case. The PA case is about someone recording *sound*, not video.
You can dress up a pig, but it's still a pig?
Many banks ARE rolling them out in this form: http://www.rsa.com/node.aspx?id=3019
Hey... I'll gladly take some stock options are a worth SOMETHING as opposed to what I have now.
Yeah... when the malware injects itself into the running explorer.exe, you usually are pretty screwed! Oh wait! Gee, you COULD boot into safe mode where the majority of this crap (even the "shell-injector") do not auotload. You'll have to scan, reboot, scan, reboot, etc about 20 times, but eventually you will have a mostly clean system. This leaves us with two problems still: (1) that the majority of the malware being used for spam and DDoS are not detected by most AV products, and (2) the user must then sufficiently patch their OS to keep from being owned within the first two minutes of being back online. $ISP should negotiate deeply discounted rates with "Worst Buy" and their Geek Patrol so that people can make an honest effort at cleaning their machines.
The Security Jobs mailing list is a good place to start. When my company was looking for an intern for our incident response and audit team, we turned to that list. There was a standout resume and post from one student in particular... we hired him on. If we have a fulltime professional slot that opens, we'll likely reach out to him first.