Create an Account
username: password:
 
  MemeStreams Logo

RE: hb504_LC_29_2714_a_2.html
search
Home Agent Weblogs Social Network Post Help About

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: hb504_LC_29_2714_a_2.html
Topic: Miscellaneous 10:04 pm EST, Feb 22, 2007

I'm not certain I see categorically how removing a virus would fall into these provisions however, and I'd like to hear what I've missed.

If someone comes to you with a computer that they think might be infected with a virus and offers to pay you to look at it and possibly clean it up, you are providing services in which you are collecting information with reference to a crime. The text "crimes against the United States" does not mean circumstances were the federal government is the victim, it means circumstances where a United States law was violated. The distribution of viruses is illegal, and collecting information about that as a work for hire would be, under this law, a felony punishable with prison time.

Its worth pointing out that such activity may already be illegal under the present law, but that law has never been enforced in this context. There are clear signs, in particular, statements made by the PI board, that certain quarters are interested in seeing that law enforced in this context. With this rule change the risk goes from a minor misdemeanor charge to a felony with serious penalties. The result will be that IT professionals who do not have a background in criminal justice will have to think twice before making any offer to help someone who has been the victim of a computer crime.

That is the intent of this bill and the intent of the people who support its enforcement in this context.

Anyway, I think there's two different aspects to consider here. The first is your normal IT functions, such as virus and spyware removal, the configuring and monitoring of firewalls, etc., and the second is more advanced computer security such as responding to system compromises, "forensic" data analysis, systems fraud monitoring, etc. The former, I'd think, should be pretty much completely exempt from any sort of regulation.

This law makes no such distinction, and I don't know how you can distinguish between a spyware infection and a system compromise, nor do I know how you can distinguish between normal IT functions and "systems fraud monitoring." They are the same things. There is a professional practice of detailed computer forensics for the purpose of evidence collection for trial which is separate from normal IT security functions. You'd expect people who offer such services to understand the law of evidence collection, but there is absolutely no reason to require that those people be former police officers. In fact, in dealing with this issue for a year now I have yet to hear anyone offer an articulate explanation of why such a requirement would be desirable.

The latter, on the other hand, as I've said, has implications for evidence and the potential recovery of losses or the proscecution of a criminal investigation. Given that, I actually don't oppose the notion that such workers should be verifiably conversant in the legalistic aspects of their work. As a matter of fact, I'm kind of surprised that those kinds of activities aren't already considered as being the exclusive jurisdiction of "the Law".

Most people who testify as expert witnesses, such as CPAs, Engineers, etc do not need to have a criminal justice degree or experience as a law enforcement officer. There is absolutely no reason why such a requirement should be placed on Computer Security professionals. As you say, this law exists because of the saftey risks involved with physical security work and real world PI sleuthing. Those saftey risks have nothing to do with computer forensics whatsoever.

Allowing company employees to process information that exposes the perpetrator of an alleged criminal act seems rather like allowing the fox (or, perhaps, merely the fox's close friend) to guard the henhouse.

However, this law provides for that with no problems, and has always provided for that. (The relevent text is not in the bill because it is not being amended.) A private company can hire their own security guards without getting licences under this law. It only applies to firms that offer these services to the general public.

RE: hb504_LC_29_2714_a_2.html

Thread [2]


  
 
Powered By Industrial Memetics		RSS2.0