Re: Security Event / Customer Reporting

[Aaron Silver <asilver () epoch net>]

Tyrannis Von Nettesheim wrote:

> Folks:
>
> > From the battlefield trenches of dealing with the constant ebb and flow of
> residential customers compromised generally due to the expected holes in
> Microsoft products, I have yet to get myself or hear of a request from any
> entity (with the exception of legitimate, authorized government
> investigators) for forensic data analysis from their own "home" networks.
>
> In a recent posting here, I read an opinion that people should be prepared
> to provide this.
>
> This is absolutely abhorrent, and leads us all down the slippery slope of an
> Orwellian society.
>
> Customers, unless engaged in financial business or other business with
> regulatory requirements, should not be ever subjected to anything near a
> requirement to store their own data, or be prepared to provide historical
> data. At the surface, this violates privacy concerns. Deeper under the
> surface, it would make security professionals de-facto extensions of law
> enforcement in a very unregulated way. This immediately makes one think of
> government "strong-arming" a security professional into providing data, but
> this works the other way too - where a well-intentioned, but overzealous
> security engineer discloses confidential data improperly or commits a
> procedural error that leaves an employer exposed legally. This is why we
> have courts, judges, magistrates, search warrants, process, and procedure,
> to ensure that requests for confidential data and privacy intrusions are
> well-formed and within the bounds of current law.

Um... You've lost me here. At no time did I state (and I didn't see anyone else respond so I can only comment on my 
statement) that our company does (or any company should) demand that the customer provide that information to the 
requesting company. How then is the security engineer becoming an extension of the law by not requiring the home user 
to divulge the security information, instead saying "If you've been hacked, please save the information in case you are 
legally involved"?

The security engineer cannot provide to the law any more information about the alleged hack than any logs regarding the 
type and routing of the traffic seen in their logs. (not carnivore-esque, but router/firewall log-esque) since they 
have not asked for that information from the customer. The most they can do is provide to law enforcement officials the 
customer's information, which they would have to anyway. It would then be incumbent upon the home customer to show 
their innocence. Without any records, that would be much harder to do.

I am not a lawyer, and I don't even claim to be. While the law states that you are innocent until proven guilty, it is 
my understanding that if the prosecution provides some evidence indicating guilt, you'd better be prepared to show how 
that evidence is inaccurate or misleading, and that there is a reasonable explanation for an innocent person and that 
evidence to co-exist. Any records that the home customer (or any for that matter) can save will help with that. 
Otherwise, you are opening yourself up for potential liability.

Aaron Silver
********************************************************************************************
Unfortunately this disclaimer is intentional rather than meant to be cute. I am speaking for myself, rather than my 
company.
Because of this, I do not include my company title and affiliation, although that information is not hard to deduce.
********************************************************************************************



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com