Re: Randal Schwartz Cracking Conviction

• Subject: Re: Randal Schwartz Cracking Conviction
• From: jeffrey@crl.com (Jeffrey Kegler)
• Date: 2 Sep 1995 12:44:02 -0700
• Newsgroups: comp.security.unix, comp.security.misc, misc.legal.computing
• Organization: CRL Network Services (415) 705-6060 [Login: guest]
• References: <NEWTNews.808669857.3579.lsantist@lsantist.dfrc.nasa.gov> <427l27$isl@shell1.best.com> <4281fj$3hr@reuter.cse.ogi.edu> <428rh8$2ok@newsstand.cit.cornell.edu>
• Xref: newsstand.cit.cornell.edu comp.security.unix:19699 comp.security.misc:21342 misc.legal.computing:16826

Jeffrey Kegler <jeffrey@best.com> wrote:
Jeffrey> This is a serious problem for our profession in the
Jeffrey> Oregon v. Schwartz case.  The only safe way to be sure you are
Jeffrey> legal is to avoid any appearance of illegality.  And the only way
Jeffrey> to do that is to avoid doing security audits, that is, to not do
Jeffrey> one's job.

markm@bogart.cse.ogi.edu (Mark Morrissey) wrote:
Mark> no, you can do it with the knowledge and permission of management.
Mark> That's not so hard, is it?
Mark> I don't think that it will stop real security professionals.

Steve Pacenka <sp17@cornell.edu> wrote
in article <428rh8$2ok@newsstand.cit.cornell.edu>:
Steve> The real pros with secure relations with their managements should
Steve> have few or no new problems.  What proportion of the folks with
Steve> computer security duties falls into that intersection?

Let's be clear about this.  A successful security audit almost always
makes someone look bad.  And they will quite commonly go after the
auditor.  If they think they can poke holes in the auditor's authority
to do what he is doing, they will usually try.

Depending on what I am doing, I may get daily threats from people that
I will lose the contract, even for obeying a direct order.  (Actually,
security audits are not the worst for this -- timing databases is the
easiest way to draw threats.)   Those disgruntled with the results of a
security audit may be able to get the ear of upper management.  Note
the more thorough the audit the more enemies you potentially make.
Naturally, when things get too hot for the auditor, the manager who
authorized the audit will distance himself.  When this happens, the
organization regards the audit, if only retrospectively, as
unauthorized.

One of the things a good consultant does is not embarrass the client.
If even proper actions of yours are now regarded as unauthorized, a
good consultant does not argue.  You leave them free to reattempt their
internal education about security with a new auditor, who may be
luckier.  Also, everyone may have learned from the last experience.

This situation I regard as transitional.  As the Internet security
profession becomes more established and understood it will get rarer.
Accountants went throught the same thing.  What the outside auditor
finds almost always make a lot of people look bad.  But society has
learned how to arrange things so the outside auditors have the clout to
do their job, and the outside auditors have learned how to bullet-proof
their authorization, and how to handle inappropriate pressures from
within the client.  The CPA's have the advantage that auditing and
embezzling look quite different.

Oregon v. Schwartz means that while things are settling out, those
security auditors who lose authorization battles will spend the rest of
their lives as convicted felons.  This discouragement of auditors by
Oregon v. Schwartz makes it a Cracker's Bill of Rights.

-- 
Jeffrey Kegler, President, Algorists, Inc.,  jeffrey@best.com
743 East El Camino Real #338, Sunnyvale CA 94087

• Re: Perl Co-inventor Convicted
• From: lsantist@lsantist.dfrc.nasa.gov
• Re: Perl Co-inventor Convicted
• From: jeffrey@best.com (Jeffrey Kegler)
• Re: Perl Co-inventor Convicted
• From: markm@bogart.cse.ogi.edu (Mark Morrissey)
• Re: Perl Co-inventor Convicted
• From: sp17@cornell.edu (Steve Pacenka)

• Prev: Re: Randal Schwartz Cracking Conviction
• Next: Letter to judge
• Index: Mail Index
• Thread: Mail Thread Index