RE:Vulnerability Scanners ( was: concerning ~el8 / proje ct mayhem )

[Paul Robertson <proberts () patriot net>]

On Mon, 26 Aug 2002, Behm, Jeffrey L. wrote:

> What mechanism won't have flaws? 

That's where a good lawyer[1] gets their money though.  There also may 
be other mitigating circumstances, such as first ammendment rights for 
state college professors (Urofsky vs. Allen)

> > could be more liable for the things that get through than you are if you 
> > don't try. Suddenly you've placed yourself in the position of an editor, 
>
> You are only the editor if you are editing...what about subscription
> services that
> provide "block lists"...are you still considered the editor, when you are
> only
> blocking categories, and not individual URL's?

That's a good question, and one that I'd encourage folks filtering to 
discuss with their legal counsel.

> > and legally, not trying and not failing is different than trying and
> failing.
>
> To me the above argument applies if you are an ISP, but not a non-ISP
> corporation.

ISPs didn't get common carrier status, a company *IS* an ISP to some 
extent in regards to its employees.  That's why it's a legally slippery 
slope.

> People seem to forget that businesses are not democracies, and the employee
> doesn't
> have the same rights as he/she would have in the "real world." See the "No
> expectation of privacy" clause in the email/Internet policy of prudent
> corporations.

"No expectation" gets you past ECPA, but liability for content and 
filtering isn't part of ECPA.

> I thought in order to protect in the case of lawsuits, a company can show
> they were
> making "reasonable" attempts to prevent such activity from occurring. Who
> can say they
> are completely effective in being able to stop "folks like Jim" without
> disconnecting
> from the Internet.

The bar for "hostile workplace" seems to be high enough that filtering 
won't make any difference in a defense if it's not present:

http://www.ftrf.org/work_jb.html

Seems to have a good bit of info, even if parts of it are 
library-specific.

Jacksonville Shipyards has been the "standard" citation in discussions 
I've had in the past, and I wasn't aware that the case hinged upon verbal 
harrassment in conjunction with the pictures, that certainly changes my 
outlook on what I have to worry about.

Sexually hostile speech seems to need to be part of the work environment 
to be actionable *and* must rise to a level sufficiently severe to create 
an abusive workplace[3].

> > > Agreed on both counts.  Not taking action can be very 
> > > expensive though.....
> >
> > As important as taking action is *when* you take action- and 
> > preemptive 
> > strikes can cost you in court where post-event action won't.  
> If you continue to ignore the issue and take no pre-emptive 
> measures, then post-event-only action may cost you as well.
> This mindset would potentially (and in my opinion, doubtfully)
> only work on the VERY first case at one's company. What Judge
> is going to believe you "didn't know you were supposed to keep
> the garbage out by filtering/blocking?" 

Filtering/blocking doesn't keep that stuff out- therefore the argument 
that you "didn't know" is specious- all the filtering in the world will 
make the connection business unfriendly (heck, I've gotten about 150 
bounces from *this thread* from content filters- think blocking this 
discussion is useful?[2])

> Even so, all other cases would then require pre-emptive action,
> or the Judge could say "Don't you (the company) get the hint? You
> need to stop this activity for ALL employees, not just those that
> are being reported. Don't let me see you in this court-room again, 
> without having taking any precautions about preventing this."

Hasn't happened yet AFAICT.  Harrassment *isn't* just about seeing a 
picture from what I've read, and you're only going to lose if the 
environment is condusive to it- that's other things in conjunction with 
picture viewing.  So, more likely the judge would have something to say 
for the lawyers who keep brining specious cases.

> > About the only preemptive action that seems to have not landed anyone 
> > in hot water is training.
>
> Training? What training? ;-)

Every time they send me to harassment training, I tell them I don't need 
training, I'm already very good at it ;)

Paul
[1] Oxymoron for sure.
[2] Hrm, maybe a bad example ;)
[3] Caviness, 105 F.3d- Winsor, 79 F.3d- Harris v. Forklift Sys Inc, 510 
US 17 (1993)- Meritor Savings Bank, FSB v. Vinson, 477 US 57 (1986)
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards