Nmap Announce mailing list archives

Re: decoy traffic and legal admissibility of logs in court

From: Sebastian <scut () nb in-berlin de>
Date: Sat, 10 Apr 1999 23:56:38 +0200 (CEST)


Hi readers, hi Ken.

Well, I'm not a lawyer, and i certainly have no experience with the law :)

But in my view logs have never been a real proof itself. They can just
give some points where you might find proofs.

This discussion is nearly the same as the one wether digital signatures
should be allowed. Sure there is encryption, but even with the most
sophisticated encryption a compromise on the remote computer and the
correct sniffed passphrase will identify you as this person.

With logs, it's just the same, they are weak, can be spoofed, changed,
compromised, deleted, anything can be done with them. In case they are not
modifyable (like line printer logs) you can still add data to them, or
modify data that goes to them.

So, since there was and there is the possibility for an attacker to modify
logs I won't ever let them count anything itself in court.
But together with real life proofs, like other people watched this nifty
computer guy hacking together melissa (;-) they may help to reconstruct
the situation.

But as you said, the amount of spoofed logs will of course increase as new
tools etc. are published. This may weak the trust put into logs presented
in the court.

In my opinion logs should indeed be used in court, but not as proofs.

cu,
scut

-- 
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet  --
-- you don't need a lot of people to be great, you need a few great to be --
-- the best -----------------------------------------------------------------

On Sat, 10 Apr 1999, Ken Williams wrote:

during conversation recently about some network hacks in which a number
of machines were compromised, and while i was going through logs of 
several machines that have been compromised on a couple of different 
networks that i admin, an interesting legal issue regarding decoy traffic
came up.  after analysis of logs, it has become clear that some of the
traffic can definitely be attributed to decoys/spoofing.  consequently,
the question of the validity of system logs and the legal admissibility of 
logs in court, in general, has arisen.  the recent issue regarding 
Linux kernels <= 2.0.35 and blind tcp spoofing figures into the equation
too now, especially with the release of the receive.c and lin35.c spoof 
code.

Ken Williams
jkwilli2 () csc ncsu edu

Current thread:

decoy traffic and legal admissibility of logs in court Ken Williams (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Sebastian (Apr 10)
  - Re: decoy traffic and legal admissibility of logs in court Andreas Bogk (Apr 11)
- Re: decoy traffic and legal admissibility of logs in court David Pick (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Adam Shostack (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Ron Hale (Apr 12)
  - Re: decoy traffic and legal admissibility of logs in court Philip Ehrens (Apr 12)
- <Possible follow-ups>
- RE: decoy traffic and legal admissibility of logs in court Meritt, Jim (Apr 12)