Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Greg Williamson (n120476phaedrus.national.com.au)
Date: Thu Feb 28 2002 - 15:28:16 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    >Finally, I note that Greg seems to work for (or be in some way
    >affiliated with) the National Bank of Australia. If so, perhaps he
    >should brush up on his employer's privacy policy, as linked from its
    >home page:
    > http://www.national.com.au/About_Us/0,,2692,00.html
    >Although that document is clearly aimed at reassuring the bank's
    >customers that any personal information about them held by the bank
    >will be properly guarded and "respected", it is clear that the bank
    >wishes to be seen to not only uphold the letter of the Australian
    >law relating to such issues, but to be seen to be exemplary in the
    >way it does so. In light of this, I wonder how the bank can have an
    >internal policy for IT staff that clearly shows little, if any,
    >respect for Australian computer law. If the bank does not have such
    >a double standard, does that mean Greg should now (or may soon) be
    >facing disciplinary action within the bank?

    A long bow here...I'm a little confused how a privacy policy relates to this,
    given that the basic precepts of the privacy laws in Australia have not been
    broached in any way by any of this - I haven't recorded or published any
    personal information on a visitor to my website or one of my customers, but
    responded (in a non-destructive a fairly polite manner) to an attempt to
    compromise one of my systems. And, although I'm not a lawyer, and particularly
    not an IT lawyer, I'd be surprised to see a conviction obtained under Australian
    law for any actions I undertook in response to this.

    >Let's be generous and assume that when Greg said "With CodeRed, I
    >cobbled together ... but also used the root.exe hole to put a
    >WinPopup box on the infected machine" he was talking about something
    >he did outside the bank and that did not in any way involve bank
    >time, computers or network resources. Can the National Bank of
    >Australia afford to be publicly seen to be associated with someone
    >freely admitting to what almost surely was a criminal act in at least
    >one country where at least one machine Greg "notified" resided?

    Yes, as it has been suggested, this work was performed on my personal system at
    home, routed through my personal ISP, in my own time. Had the attacks been
    those received at work, the Bank's normal channels (mainly legal-type ones)
    would have kicked in. I'd personally be happier to have a popup or email advise
    me of this instead a lawyer or a policeman. It's worth pointing out here that
    the NAB was attacked "successfully" by Nimda, and although my systems weren't
    affected I spent more than a couple of days working on nothing else. If as it
    has been suggested, what I did was considered a criminal act in at least one
    country (probably not, given the way CR spread across netblocks) then surely the
    argument of self-defence would equally apply. Use of sufficient force to defend
    myself without increasing the level of violence or aggression levels is a viable
    defence in just about every jurisdiction.

    Finally, and this is a tiny little point at the end but ties into the Nimda
    reference above, one of the warning messages I sent warned of the ability of a
    malicious user to use the CR holes to do much nastier things than I did. Along
    came nimda, and the rest is history.


    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com