In this thesis, a new protocol is presented, the Session Token Protocol (STOP) that can assist in the forensic analysis of a computer involved in malicious network activity.  It has been designed to trace attackers who log on to a series of hosts to hide their identity.  The protocol utilizes the Identification Protocol (ident) infrastructure and improves its capabilities and user’s privacy.  the STOP protocol saves user- and application-level dataassociated with a requested TCP connection and returns a random token.  The user- and application-level data are not revealed until the token is returned to the local administrator.  A trail of tokens can be created by sending a traceback request to the previous host from which the user has connected.  The previous host will save the appropriate data, return a token, and send a new traceback request.  This allows an incidents investigator to trace attackers to their home systems, but does not violate the privacy of normal users.  This thesis also describes how the new protocol was implemented on three platforms.

The Informative Protection Assessment Kit (IPAK) is a self-administered test intended to help you determine how well your organization\‘s information protection program is doing.  Designed to provide more than just a snapshot of your existing status, it is a tool for monitoring your program over time.  COmpleted annually, the IPAK can provide a relatively objective view of your progress.

Sharp stock price declines, or crashes, occurring upon the release of negative corporate information often trigger shareholder litigation under Securities and Exchange Commission rule 10b-5.  The prevailing method for calculating damages in these cases assumes that the stock price immediately following the disclosure reflects the security\‘s \“true value.\” Plaintiffs use this value to calculate their losses during th entire period in which fraud allegedly inflated the share price. In this article, Professor Leva nd Mr. de Villiers argue that a \“crash price\” is an unreliable, doctrinally erroneous, and economically unsound measure of damages. They propose alternative methods of damage calculation that extract the crash component froma postdisclosure price and yield a more accurate and fairer estimate of a stock\‘s true value.

A victim of computer virus infection may bring legal action under a negligence theory against entities such as web site operators and other providers and distributors of infected software. Proof of specific negligence is simple in cases involving a familiar virus strain that could have been prevented inexpensively. In cases involving complex and novel strains, and where lapses in compliance with the non-durable component of anti-viral precautions leave no evidentiary trace, such direct proof may be impossible. This article develops a theory of circumstantial evidence, based on the the doctrine \“res ipsa loquitur\”, aimed at alleviating a virus victim\‘s burden of proof.  \“Res ipsa loquitur\” allows an inference of negligence based on the mere occurrence of an accident and the circumstances surrounding it, and does not require proof of specific negligence.  The analytical core of the article consists of two components. (i) A probabilistic analysis derives a mathematical formulation of the \“res ipsa\” conditions, and identifies the factors that make a strong \“res ipsa\” case.  (ii) An analysis based on on (a) the computer science of the structure, operation and detection of computer viruses, and (b) the law and economics of virus detection and elimination, establishes that a malfunction resulting from computer virus infection typically constitutes a strong \“res ipsa\” case. A general software malfunction, in contrast, presents a weak \“res ipsa\” case. The \“res ipsa\” inference of negligence is particularly strong in cases of infected mission-critical software, such as components of the national critical information infrastructure. A final section addresses aspects of damages, including a model of damages and analysis of the economic loss rule in a computer virus context.