Security Incidents: Re: backdoor

[Eric Rostetter <eric.rostetter () physics utexas edu>]

Quoting Mike Lewinski <mike () rockynet com>:

> "Hugo van der Kooij" wrote Sunday, June 23, 2002 3:07 AM
>
> > However leaving a compromised system online makes you guilty of criminal
> > neglect. (Aiding and embedding criminals and all that sort of thing.)
> IANAL, but my understanding is that if you want to prosecute the offender,
> you shouldn't touch the box again after discovering the compromise (i.e.
> could be construed as tampering w/ evidence).
>
> Just one of many legal catch-22's I've run into on the job.
You can touch, as long as you document appropriately what you touch and
have a valid chain/record of custody for everything including your notes.

There are many sites on the web which try to teach how to do this (document,
date/sign everything, chain of custody, how to work on copies rather than
the original, etc).  The problem of course is how exactly to do these things
changes from area to area, so you should always check with local legal
folks if possible before, during, and after you touch anything ;)

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com