FARRIMOND Ronald K wrote:
>Crispin and Andrew, your responses to Ron don't address the main point of
>Ron's comment which is that the Portland police are misapplying this law.
>
We have alll collectively been told to take the off-topic crap
elsewhere, so I'm trying to keep it topical to CRIME's computer/crime
subject. So while I could respond to various points (including
webb1973's veiled accusation that I'm some kind of suspect) I do not
intend to. Considering webb1973's pseudo-anonymous hotmail account, his
claim of not being a PDX resident, and his behavior, I'm half-way
convinced that he's some kind of troll who just gets amusement from
stirring us up. So unless I can find some way to bring computers into
the post, I will not respond.
>As Ron said, if they were to interpret this law the same way that they are
>interpreting it in this situation, they wouldn't be able to question anyone
>about a crime other than the criminal if they could find them with out
>talking to anyone else. How does the Portland police department have the
>right to pick and choice when they want to abide by this law...assuming that
>it should be interpreted the way the Portland police department has decided
>it should be applied in this situation???
>
[digging hard to find a computer issue here]
So just who would be the passers-by and associated witnesses in the case
of a computer crime? In some cases, such as (say) a pump&dump scap
perpetrated in an online forum (as happens from time to time) then the
forum participants are the obvious candidates. But in other cases, such
as a penetration or a DDoS attack, on-line users of the victim machine
have very little useful to observe, and may actually be difficult to
identify.
The ephemeral nature of computer data also makes for some serious
evidenciary issues that are of concern to prosecutors and civil
libertarians alike:
* Log files are not tamper-resistant, and can be edited. The law
knows this, and there are strict standards for how log files that
are to be used as evidence are to be handled. It's detailed &
tricky, so get a lawyer or law officer who is more of an expert
than I am :-) or give up on prosecution based on your system logs.
* There is no data equivalent of a finger-print. You can show that a
victim machine has been penetrated, but you cannot meaningfully
associate the evidence of penetration with any person, because all
such evidence can be faked. To get a prosecution, you have to use
detective work to track down the attacker's physical location, and
then seize the attacker's computer with sufficient surprise to
preserve evidence from the attacker's side.
* The civil libertarian concern is that the FBI is now (allegedly)
employing virii to crack into suspects' computers to obtain keys.
But if they can do that, they can also drop evidence onto a
computer that suggests that it was used in an attack. Again, the
problem here is oversight: most law officers would not consider
doing such a thing, but if someone *does* do it, it may be
difficult to detect.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:33:45 PDT