FARRIMOND Ronald K wrote: >Crispin and Andrew, your responses to Ron don't address the main point of >Ron's comment which is that the Portland police are misapplying this law. > We have alll collectively been told to take the off-topic crap elsewhere, so I'm trying to keep it topical to CRIME's computer/crime subject. So while I could respond to various points (including webb1973's veiled accusation that I'm some kind of suspect) I do not intend to. Considering webb1973's pseudo-anonymous hotmail account, his claim of not being a PDX resident, and his behavior, I'm half-way convinced that he's some kind of troll who just gets amusement from stirring us up. So unless I can find some way to bring computers into the post, I will not respond. >As Ron said, if they were to interpret this law the same way that they are >interpreting it in this situation, they wouldn't be able to question anyone >about a crime other than the criminal if they could find them with out >talking to anyone else. How does the Portland police department have the >right to pick and choice when they want to abide by this law...assuming that >it should be interpreted the way the Portland police department has decided >it should be applied in this situation??? > [digging hard to find a computer issue here] So just who would be the passers-by and associated witnesses in the case of a computer crime? In some cases, such as (say) a pump&dump scap perpetrated in an online forum (as happens from time to time) then the forum participants are the obvious candidates. But in other cases, such as a penetration or a DDoS attack, on-line users of the victim machine have very little useful to observe, and may actually be difficult to identify. The ephemeral nature of computer data also makes for some serious evidenciary issues that are of concern to prosecutors and civil libertarians alike: * Log files are not tamper-resistant, and can be edited. The law knows this, and there are strict standards for how log files that are to be used as evidence are to be handled. It's detailed & tricky, so get a lawyer or law officer who is more of an expert than I am :-) or give up on prosecution based on your system logs. * There is no data equivalent of a finger-print. You can show that a victim machine has been penetrated, but you cannot meaningfully associate the evidence of penetration with any person, because all such evidence can be faked. To get a prosecution, you have to use detective work to track down the attacker's physical location, and then seize the attacker's computer with sufficient surprise to preserve evidence from the attacker's side. * The civil libertarian concern is that the FBI is now (allegedly) employing virii to crack into suspects' computers to obtain keys. But if they can do that, they can also drop evidence onto a computer that suggests that it was used in an attack. Again, the problem here is oversight: most law officers would not consider doing such a thing, but if someone *does* do it, it may be difficult to detect. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:33:45 PDT