• Choose a category
• All
• Classic-Fiction

Policy enforcement

Log files may prove to you beyond a shadow of a doubt that person X did bad thing Y, but to a court it is all just hearsay evidence. Protect yourself with written policies. Log files sometimes include timestamps, which are useful but not necessarily admissible as evidence unless your computer is running the Network Time Protocol (NTP) to keep its clock synced with reality.

You may need a security policy in order to prosecute someone for misuse. It should include a statement such as this: Unauthorized use of University computing systems may involve not only transgression of University policy but also a violation of state and federal laws. Unauthorized use is a crime and may involve criminal and civil penalties; it will be prosecuted to the full extent of the law.

We advise you to put a warning in /etc/motd (the message of the day file) that advises users of your snooping policy. Ours reads:

Your keyboard input may be monitored in the event of a real or perceived security incident.

Some connections do not see the message of the day; for example, ftp sessions and rsh ed copies of xterm . Users can also suppress the message by creating a file called .hushlogin in their home directories. You may want to ensure that users see the notification at least once by including it in the startup files you give to new users.

Be sure to specify that users indicate acknowledgment of your written policy by using their accounts. Explain where users can get additional copies of policy documents and post key documents on an appropriate bulletin board. Also include the specific penalty for noncompliance (deletion of the account, etc.).

Suppose something naughty is posted to news or the web from your site. If you are CompuServe (now part of AOL), this is a problem. In a case called Cubby v. CompuServe, something libelous was posted. The judge ruled that CompuServe was not guilty, but found the moderator of the newsgroup to which it was posted negligent. The more you try to control information, the more liable you become.

This principle is beautifully illustrated by the story of a Texas business founded by an enterprising computer science student of ours, Cheeser. He wrote Perl scripts to mine the Usenet news groups, collect naughty pictures, and build a subscription web site based on that content. He charged $12/month to subscribers and was raking in money hand over fist.

Cheeser tried to be a responsible pornographer and did not subscribe to newsgroups known to carry child pornography. He also monitored several newsgroups that were on the edge, sometimes with illegal content, sometimes not. This minimal oversight and his choice of a conservative county in Texas in which to locate his business were his downfall.

Acting on an anonymous tip (perhaps from a competitor), the local police confiscated his computers. Sure enough, they found an instance of child pornography that had been posted to one of the “safer” newsgroups. The criminal case never went to trial, but during the plea bargaining it became clear that the judge thought Cheeser was guilty—not because he had created the content, but because he was not a good enough censor. The implication was that if Cheeser had done no censoring at all, he would have been legally OK. Never censor your porn.

If your site provides news to its users, you may be safest if your site subscribes to all the newsgroups. Do not censor postings or base your pruning of the newsgroup hierarchy on content. However, a technical reason for pruning (such as a lack of disk space) is probably OK. If you must prune, do it high in the tree. Removing all of alt is easier to justify than removing alt.sex.fetish.feet but not alt.sex.bestiality.hamsters.

See page 698 for more information about Usenet news.

This principle also applies to other interactions with the outside world. From a legal standpoint, the more you monitor your users’ use of the Internet, the more you may be liable for their actions or