Re: CRIME Kudos to Acting Police Chief Andrew Kirkland

From: Crispin Cowan (crispin@private)
Date: Tue Nov 27 2001 - 11:30:18 PST

  • Next message: Jeffrey_Korte/HR/FCNB/Spgla@private: "CRIME Kudos to Acting Police Chief Andrew Kirkland"

    FARRIMOND Ronald K wrote:
    
    >Crispin and Andrew, your responses to Ron don't address the main point of
    >Ron's comment which is that the Portland police are misapplying this law.
    >
    We have alll collectively been told to take the off-topic crap 
    elsewhere, so I'm trying to keep it topical to CRIME's computer/crime 
    subject. So while I could respond to various points (including 
    webb1973's veiled accusation that I'm some kind of suspect) I do not 
    intend to. Considering webb1973's pseudo-anonymous hotmail account, his 
    claim of not being a PDX resident, and his behavior, I'm half-way 
    convinced that he's some kind of troll who just gets amusement from 
    stirring us up. So unless I can find some way to bring computers into 
    the post, I will not respond.
    
    >As Ron said, if they were to interpret this law the same way that they are
    >interpreting it in this situation, they wouldn't be able to question anyone
    >about a crime other than the criminal if they could find them with out
    >talking to anyone else.  How does the Portland police department have the
    >right to pick and choice when they want to abide by this law...assuming that
    >it should be interpreted the way the Portland police department has decided
    >it should be applied in this situation???
    >
    [digging hard to find a computer issue here]
    So just who would be the passers-by and associated witnesses in the case 
    of a computer crime? In some cases, such as (say) a pump&dump scap 
    perpetrated in an online forum (as happens from time to time) then the 
    forum participants are the obvious candidates. But in other cases, such 
    as a penetration or a DDoS attack, on-line users of the victim machine 
    have very little useful to observe, and may actually be difficult to 
    identify.
    
    The ephemeral nature of computer data also makes for some serious 
    evidenciary issues that are of concern to prosecutors and civil 
    libertarians alike:
    
        * Log files are not tamper-resistant, and can be edited. The law
          knows this, and there are strict standards for how log files that
          are to be used as evidence are to be handled. It's detailed &
          tricky, so get a lawyer or law officer who is more of an expert
          than I am :-) or give up on prosecution based on your system logs.
        * There is no data equivalent of a finger-print. You can show that a
          victim machine has been penetrated, but you cannot meaningfully
          associate the evidence of penetration with any person, because all
          such evidence can be faked. To get a prosecution, you have to use
          detective work to track down the attacker's physical location, and
          then seize the attacker's computer with sufficient surprise to
          preserve evidence from the attacker's side.
        * The civil libertarian concern is that the FBI is now (allegedly)
          employing virii to crack into suspects' computers to obtain keys.
          But if they can do that, they can also drop evidence onto a
          computer that suggests that it was used in an attack. Again, the
          problem here is oversight: most law officers would not consider
          doing such a thing, but if someone *does* do it, it may be
          difficult to detect.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:33:45 PDT