Re: login banners

From: Ron and Lisa Mehring (rmehring@havelocknc.net)
Date: Wed Feb 19 2003 - 19:39:15 EST


I to do this day cannot believe the law has not matured on this issue.

Questions to ponder....

If I put a welcome mat in front of front door does that give an individual
to come into my home? With this analogy should warning banner really matter?
Do in need to put my warning banners in multiple languages? To many issues
here.

If a user is properly indoctrinated into the information system are banners
truly needed. Ahhh... The IA hope for commonality in user awareness training
throughout the private, government, international sectors. How about taking
a test before receiving a modem, dsl etc connection in your home? Its
amazing the amount of licenses we must receive with other items (Driving,
Hunting Fishing etc...) why not this?

Still yet, I use Warning Banners on all information systems that have the
capability to support a banner (web, servers, clients, routers, switches
etc.)

As far as monitoring... If I put a surveillance (IDS) system around my home
is this illegal? Must I place a notification? Help me on this issue because
frankly I am ignorant on this one.

ECPA rules are fair and should be adhered to. There is measurable business
case for this in addition to the privacy\law issues.

I have been fairly brief in my statements because I know all reading this
are smart folks and can take the next step.

The law needs to grow up and get with it. I am not a lawyer by any means.

Simplicity in work here.

Respectfully
Ron Mehring
Information Assurance
USMC

----- Original Message -----
From: "Bob Radvanovsky" <rsradvan@unixworks.net>
To: "Patrick Kingi" <Patrick.Kingi@nz.logical.com>
Cc: <pen-test@securityfocus.com>
Sent: Wednesday, February 19, 2003 5:16 PM
Subject: Re: login banners

> See replies and/or URL posting for additional information.
>
> URL: http://www.theorygroup.com/Archive/Unisog/1999/msg00291.html
> http://www.theorygroup.com/Archive/Unisog/1999/msg00296.html
> http://www.theorygroup.com/Archive/Unisog/1999/msg00298.html
>
> http://www.theorygroup.com/Archive/Unisog/1999/msg00023.html
> (interesting)
>
> >> Reposted:
>
> "From Mercury Center First Edition Tue Oct 12 04:30:08 EDT 1999 Gov. Gray
> Davis has vetoed legislation that would have prohibited companies from
> secretly monitoring workers' e-mail, computer files and Web surfing.
> Privacy advocates denounced the veto as a strike against employee rights.
> But Davis said he was protecting the right of employers to control their
> workplace.
> http://www.mercurycenter.com/svtech/news/indepth/docs/email101299.htm
> Meanwhile, companies are tightening the rules governing employee e-mail
and
> Web surfing.
> http://www.mercurycenter.com/svtech/news/breaking/merc/docs/y2k101299.htm
> Case law seems to show a pretty consistent trend in siding with employers,
> giving them virtually unlimited scope to ensure that their resources are
> used appropriately. Having said that, the University of California has
> articulated its expectations about privacy (among other things) in its
> overall policy on electronic mail. It clearly prizes individual privacy
> highly. There are only very specific circumstances under which
> non-consensual access to others' email messages is allowed - criminal
> activity being one of them. The email policy is now in process of being
> generalized to encompass all forms of electronic communication, and will
> soon (that's a relative term :-) become the UC Electronic Communication
> Policy. For those interested, the UC Email Policy is available at:
> http://www.ucop.edu/ucophome/policies/email/ Of course the technology in
> its current mainstream state is inherently vulnerable to privacy exposures
> - such as when a postmaster must reroute misdelivered email, or the case
> Steve mentions where technical staff stumble across porn during the
regular
> course of their duties. So it seems to me that the policy aspect becomes
> even more important... just because it's technically possible to do
> something shouldn't automatically mean it is sanctioned. By policy, our
> technical staff must maintain confidentiality except in the case where
they
> do stumble across criminal activity; in that case, another set of policies
> take precedence."
>
> >> Reposted.
>
> "go to www.securitymanagement.com ,click on Tech Talk and see article re
> Tool Talk: Log-In Banners"
>
> >> Reposted.
>
> And my favorite, SecurityFOCUS: http://online.securityfocus.com/guest/1060
>
> Here we go.... http://www.cybercrime.gov/s&sappendix2002.htm - Look
> specifically at Appendix A.
>
> And lastly, here is a *sample* banner provided. ;) It was taken from the
> U.S. Navy Great Lakes Medical Center in Waukegan, IL. It has been
modified
> a little bit, so if you use this banner, you should: (1) check with the IT
> manager for USN's GL's M/C data center, and (2) check with your attorney.
>
> Sample banner is as follows:
>
> " -------------
> W A R N I N G
> -------------
>
> THIS IS A PRIVATE COMPUTER SYSTEM.
>
> This computer system including all related equipment, network devices
> (specifically including Internet access), are provided only for authorized
use.
> All computer systems may be monitored for all lawful purposes, including
to
> ensure that their use is authorized, for management of the system, to
> facilitate
> protection against unauthorized access, and to verify security procedures,
> survivability and operational security. Monitoring includes active attacks
by
> authorized personnel and their entities to test or verify the security of
the
> system. During monitoring, information may be examined, recorded, copied
and
> used for authorized purposes. All information including personal
information,
> placed on or sent over this system may be monitored. Uses of this system,
> authorized or unauthorized, constitutes consent to monitoring of this
system.
> Unauthorized use may subject you to criminal prosecution. Evidence of any
such
> unauthorized use collected during monitoring may be used for
administrative,
> criminal or other adverse action. Use of this system constitutes consent
to
> monitoring for these purposes."
>
> Once logged in, they should see:
>
> "WARNING: Unauthorized access to this system is forbidden and will be
> prosecuted by law. By accessing this system, you agree that
your
> actions may be monitored if unauthorized usage is suspected."
>
> From my understanding of computer law, dealing with legal aspects
> involving either an attempted break-in, or a successful break-in (through
> some sort of forensics process), you want to be as *specific* as
> possible. The more specific you are to the laws applicable, the better
you
> are protected.
>
> Mind you, I am not now, nor have I ever been, a representative of any
legal
> institution, agency, and/or representative thereof. I am not an attorney,
> nor do I profess to be an attorney. My advise, if you want to really
> protect yourself, is to hire an attorney that specializes in computer law.
>
> And lastly, inset disk into magnet and spin until properly cooked. ;)
>
> My 2 cents worth! Hope this helps!!!
>
> Bob Radvanovsky
> rsradvan@unixworks.net
>
> At 01:55 PM 2/18/2003 +1300, you wrote:
> >Greetings all,
> >
> >It has been standard practice to ensure systems ensure their login
banners
> >warn the users that unauthorised access is not allowed, your activity may
be
> >logged etc...
> >
> >A client has asked if there is any evidence that this really matters. I
> >heard a story once upon a time that a hacker did not get prosecuted
because
> >the login banner said something like "Welcome to your friendly
neighborhood
> >computer". Is this an urban legend?
> >
> >Does anyone have any evidence that the login banner has been used in
court?
> >
> >Any help would be appreciated.
> >
> >regards,
> >Patrick
> >
> >
>
>---------------------------------------------------------------------------
-
> >
> >Do you know the base address of the Global Offset Table (GOT) on a
Solaris 8
> >box?
> >CORE IMPACT does.
> >www.securityfocus.com/core
>
>
>
> --------------------------------------------------------------------------

--
>
> Do you know the base address of the Global Offset Table (GOT) on a Solaris
8
> box?
> CORE IMPACT does.
> http://www.securityfocus.com/core
>
>
----------------------------------------------------------------------------
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
http://www.securityfocus.com/core


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT