Information Security News mailing list archives
Will the Real Criminal Please Stand Up?
From: security curmudgeon <jericho () ATTRITION ORG>
Date: Thu, 15 Mar 2001 22:12:02 -0700
UNIX SECURITY --- March 15, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters Will the Real Criminal Please Stand Up? By Carole Fennelly Computer crimes present a monumental challenge to legal systems worldwide. Charged with administering justice, the courts generally do not understand the complicated technical evidence required to conclusively prove guilt in a computer crime. Meanwhile, law enforcement agencies advocate stiffer penalties and prosecutors employ hacker stereotyping rather than hard evidence to sway juries. Recently, the UK approved legislation equating computer crimes with terrorism (http://www.cnn.com/2001/TECH/internet/02/20/hackers.terrorists.idg/inde x.html). Hence forth, electronic vandals are on the same level as people who consciously murder children in the name of a "cause". A pretty harsh characterization, but one that makes it all the more critical that we ensure justice is properly served. Sadly, the legal system remains incapable of understanding technical evidence. My recent involvement in a trial of an accused computer criminal made this point quite clear. Try explaining computer science to your grandmother sometime? She will seem easy compared to a court. Reading through the trial's transcripts, I noticed some confusion concerning the legality of portscanning. The transcripts showed someone stating that it, "...can be done legitimately and not legitimately." If you remember nothing else, then remember this: A portscan is not an attack! A portscan equates to walking down the street and checking for open doors and windows. Sure, it can indicate that someone is "casing the joint", but a portscan in and of itself is harmless. The prosecution made much ado about the defendant possessing portscanning tools and using them in the past (gasp!). Now remember, portscanning is not a crime; however, it was used to establish the defendant's state-of-mind, intent, and ability to attack computers. Factors such as this take center stage when the prosecution relies largely on circumstantial evidence. Evidence is defined as direct proof of a fact or circumstantial -- an inference made by the jury based on experience and logic. Jurors are asked to used their common sense in evaluating a case. A recent Florida case saw a teacher file Federal wiretapping charges against a student for taping a lecture without the teacher's express consent (http://www.cnn.com/2001/LAW/02/28/recording.charge.01.ap/index.html). Fortunately, the prosecutor's common sense and experience kept this ridiculous case from trial. Well, most juries *have* no experience in computer forensics, so how can they fairly evaluate circumstantial evidence? The average person's computer science knowledge likens to an 18th century farmer's physics knowledge. For most people, science is indistinguishable from magic (a prime reason the Inquisition persecuted so many scientists). My case involved over 100 pages of testimony describing how the intruder ftp'd in from a trusted machine, brought over a sniffer package, failed to compile it, and then removed a critical database file. No direct evidence showing the attacker's identity, just an account of the events. I watched two days of irrelevant testimony describing simple commands that anyone could have run. The jury and the court seemed clueless when the witness spoke, but it sure sounded technical. I found it tedious and I *did* understand him. The technical evidence, mind-numbingly boring and meaningless to the jury, did not conclusively prove the attacker's identity, so the prosecution turned to circumstantial evidence. Labeling the defendant a "hacker" certainly helped convince the jury of the defendant's guilt. What are average people's real-life experiences with hackers? The media? Movies? Using images in a courtroom may make the prosecutor's life easier, but it's a dangerous practice. Take Robert Hanssen, the FBI agent accused of being a Russian spy, for example. Judging by appearances, which everyone did for the past 25 years, he seemed to be model citizen. Hell, even his wife had no idea (http://www.cnn.com/2001/US/03/01/spy.wife)! Obviously, determining guilt for a crime must hinge on the technical facts that are presented, not "hacker" labels. Interpreting facts so the juries and courts will understand presents the real difficulty, though. Having an online handle is not a crime. Studying methods of defeating computer systems' security is not a crime. Running a Web site about hacking is not a crime. Breaking into a system without authorization *is* a crime. Stealing or destroying data that belongs to someone else *is* a crime. And abusing a position of authority and trust is a *very* serious crime. As the legal system begins understanding computer crime (but it has a very long way to go), labeling hackers as terrorists is unreasonable and a further burden to the system. In fact, this legislation could backfire when a jury is unwilling to convict a defendant to hard time when they don't think he deserves it. The alternative would be to let them go free, which is also wrong. When a crime is committed, appropriate justice must be served. Labeling computer crime as terrorism just sanitizes terrorism. About the author(s) ------------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for Unix Insider (http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () unixinsider com. ________________________________________________________________________________ ADDITIONAL RESOURCES Maylasian Hackers face indefinite detention http://www.cnn.com/2001/TECH/computing/01/10/malaysian.hackers.idg/index.html Australians prosecute hackers as terrorists http://www.zdnet.com/zdnn/stories/news/0,4586,2691323,00.html Interesting article on Unblinking News showing Robert Hanssen's online activities http://tbtf.com/unblinking/arc/2001-02a.htm Spy Hypocrite http://www.time.com/time/nation/article/0,8599,100391,00.html CERT Intrusion Detection Checklist http://www.cert.org/tech_tips/intruder_detection_checklist.html Basic Steps in Forensic Analysis of a Unix System (Dittrich) http://staff.washington.edu/dittrich/misc/forensics/ Interview with Jennifer Granick, famed defense attorney for computer crime: http://www.infosecuritymag.com/articles/march01/features2_q&a.shtml ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Will the Real Criminal Please Stand Up? security curmudgeon (Mar 15)