RE: Logon Banners

["Rohrer, Mark E" <mark.e.rohrer () lmco com>]

Though the case is not cited, the 2 Mar 90 Defense Data Network Security
Bulletin advises, "A court recently threw out a suit against a computer
system intruder because the logon prompt was preceded with "Welcome to..."
and implored administrators to cease using "Welcome" in logon banners.
(http://csrc.ncsl.nist.gov/secalert/ddn/1990/sec-9004.txt)

Again, without citing a case, NASA's GRC (Glenn Research Center) exclaims in
chapter 9 of its Directive 2810.1, "To the maximum extent of their
capabilities, all GRC systems must display a warning to all users at the
time they log on. Recent criminal prosecutions have emphasized the value of
well-written logon banners. In one case several years ago, a quick-thinking
defense attorney convinced a jury that an external intruder could not
possibly have been a criminal computer trespasser because the system that he
had broken into had had a logon banner that WELCOMED him to the system. Far
from being an uninvited intruder, he was actually a welcome guest!"
(http://www.grc.nasa.gov/WWW/Directives/2810.1-Chap9.html)

And it appears that this is not a U.S.-centric issue; the following exerpt
from the Australian University of Queensland Security Emergency Response
Team Advisory SA-93:03A bulletin exhorts, "SERT recommends that any login
banner or system initial message should not imply consent to use the
computer services (E.g., words such as "greeting" or "welcome"), unless it
is the express intention that any user is free to use the system, whether
they are authorised or not."
(http://www.attrition.org/security/advisory/auscert/AA-93.03.Suggested.Login
.Banner)

You may want to contact these organizations directly for more detail.

However, there's plenty of discussion on the flip side of the coin, too;
e.g., see "Trespassing, IP and the Law (REALLY long) (was Re: Virus to
Virus Idea" at
http://www.der-keiler.de/Mailing-Lists/securityfocus/security-basics/2001-09
/0096.html.

Mark

-----Original Message-----
From: leon [mailto:leon () inyc com]
Sent: Friday, March 22, 2002 9:18 PM
To: incidents () securityfocus com
Subject: Logon Banners


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone,

There is a thread going on, on the sf-basics list about logon banners
and legalities.  The general consecutions seems to be one of two
groups of thought;  1)  If you put welcome in your logon on banner
this could make you legally responsible if you are attacked (meaning
the attacker can say, "well it said welcome".)  2)  This is an urban
legend and not really true.

My question is can anyone provide links showing that there have been
court cases decided upon this?  I found a reference in one of my
cisco design books but it does not provide links or any other
cross-reference.

Thx,

Leon

<----8<---->

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com