Nmap Announce mailing list archives
Re: decoy traffic and legal admissibility of logs in court
From: David Pick <D.M.Pick () qmw ac uk>
Date: Sat, 10 Apr 1999 23:06:40 +0100
during conversation recently about some network hacks in which a number of machines were compromised, and while i was going through logs of several machines that have been compromised on a couple of different networks that i admin, an interesting legal issue regarding decoy traffic came up. after analysis of logs, it has become clear that some of the traffic can definitely be attributed to decoys/spoofing. consequently, the question of the validity of system logs and the legal admissibility of logs in court, in general, has arisen. the recent issue regarding Linux kernels <= 2.0.35 and blind tcp spoofing figures into the equation too now, especially with the release of the receive.c and lin35.c spoof code. thoughts? comments? suggestions? flames?
Personally I would expect any evidence such as system logs to be explained in court by an expert witness. Any court that does not require a explanaition to a lay jury is contemptible. Any "expert" witness who does not consider the *possibility* of IP source address "spoofing" deservs to be torn to shreds in court and does not deserve to be called an "export". This means there *must* be more evidence than just the system logs of the attacked machine(s) showing the source address. Even evidence of a completed connection and packet exchange is not enough - someone with access to the net inbetween the "source" and destination can insert packets and read the responses as they go past. In my not-so-humble opinion, further logs from independant sources should corobborate the attacked system logs. For example, a pattern of attacks from varying IP addresses all belonging to an ISP, coupled with ISP logs showing the same user dialed up on each occasion is a *lot* stronger than either set of logs alone. (Of course, no "cracker" worth his salt would be caught *that* easily.) But you get the idea. On the other hand I wouldn't want to give the idea that system logs are not (or should not) be admissible evidence in court; only that you have to be very careful about your testimony about exactly what they mean and what inferences can be drawn from them. And the recent additions to "nmap" do not, in my opinion, change the situtation one little bit; the possibilities were *always* there, it's now just a little easier for attackers to use them. Incidentally, in the UK it is necessary to produce a certificate that the computer system was functioning correctly when producing any computer-based evidence in court - which can make it difficult when your systems have been penetrated! Another thing that's worrying me is that there is now a directive from the European Commission that member states must enact lesiglation that prohibits keeping logs of accesses to publicly available facilities for any purpose except billing, and then only until the billing process is completed. This is a matter of "human rights" to privacy. I'm seriously considering suggesting to my University that we should charge all our students for the traffic they generate on the Internet; that charge to be paid when they leave; and the charge to be of the order of a small enough fraction of a penny that noone would normally be changed enough to make it possible to actually bill them; but we'd have to keep the records to make sure that someone who really *did* use *huge* amount of bandwidth *could* be changed! But we'll see exactly how the UK writes this into statute first. -- David Pick
Current thread:
- decoy traffic and legal admissibility of logs in court Ken Williams (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Sebastian (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Andreas Bogk (Apr 11)
- Re: decoy traffic and legal admissibility of logs in court David Pick (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Adam Shostack (Apr 10)
- Re: decoy traffic and legal admissibility of logs in court Ron Hale (Apr 12)
- Re: decoy traffic and legal admissibility of logs in court Philip Ehrens (Apr 12)
- <Possible follow-ups>
- RE: decoy traffic and legal admissibility of logs in court Meritt, Jim (Apr 12)
- Re: decoy traffic and legal admissibility of logs in court Sebastian (Apr 10)